Intel about to make the same error as with processor ID?

  • Thread starter Thread starter Jan Panteltje
  • Start date Start date
J

Jan Panteltje

I just got this from German ARD teletext

567/0 ARD-Text 18.04.04 14:53:26

Multimedia / Internet
Intel-Chips mit eingebauter Sicherheit
Der Chip-Hersteller Intel hat jetzt die
n{chste Generation von Prozessoren fuer
Mobilgeraete vorgestellt, die fest inte-
grierte Sicherheitsvorkehrungen gegen
Hackerangriffe und auch Urheberrechts-
verletzungen besitzen.

Translation:
Intel chips with build in security.
The chip manufacturer Intel has now
announced its next generation processors for
mobile computers, that have fixed integrated
security measures against hacker attacks
and also copyright violations.

JP
 
I just got this from German ARD teletext

567/0 ARD-Text 18.04.04 14:53:26

Multimedia / Internet
Intel-Chips mit eingebauter Sicherheit
Der Chip-Hersteller Intel hat jetzt die
n{chste Generation von Prozessoren fuer
Mobilgeraete vorgestellt, die fest inte-
grierte Sicherheitsvorkehrungen gegen
Hackerangriffe und auch Urheberrechts-
verletzungen besitzen.

Translation:
Intel chips with build in security.
The chip manufacturer Intel has now
announced its next generation processors for
mobile computers, that have fixed integrated
security measures against hacker attacks
and also copyright violations.

JP
Click to expand...

Is the same as the code found in Itanium and AMD 64?
 
Translation:
Intel chips with build in security.
The chip manufacturer Intel has now
announced its next generation processors for
mobile computers, that have fixed integrated
security measures against hacker attacks
and also copyright violations.
Click to expand...

Intel has started including a Trusted Computing Group chip in their
newest chips. The first one that's available (the one I think this
article is talking about) is the new XScale (ARM) PXA27x. The TCG
chip is also expected to find it's way into both AMD and Intel desktop
processors in the near future.

There are some potential benefits to this, despite what all the
tin-foil crowd like to say, this TCG technology CAN be used to improve
the security of a system. In fact, that is a primary goal of it.
However it can also be used to implement "Digital Rights Management"
(more than a bit of a misnomer, as some poster on /. said recently
"rights do not need to be managed"), something that many people object
to. It could also be used, for example, to better enforce company
computer policies, another thing many people don't much like.

So, is this like the processor serial number? Not exactly. The TCG
technology has some potentially very useful technology while the
Processor Serial Number did not. On the flip side, there are some
potentially downsides to this TCG stuff, while the serial number was
pretty much pointless.
 
Tony Hill wrote:

So, is this like the processor serial number? Not exactly. The TCG
technology has some potentially very useful technology while the
Processor Serial Number did not. On the flip side, there are some
potentially downsides to this TCG stuff, while the serial number was
pretty much pointless.
Click to expand...

I'd think if they eliminated buffer overruns in hardware, most security
issues would be solved, at least from where I'm at. Almost all the linux
security issues are caused by that and many of the windows ones as well or
so it seems from reading all the patches.
 
I'd think if they eliminated buffer overruns in hardware, most security
issues would be solved, at least from where I'm at. Almost all the linux
security issues are caused by that and many of the windows ones as well or
so it seems from reading all the patches.
Click to expand...

It's not really possible to eliminate buffer overruns in hardware,
just to limit the amount of damage that can be caused when a buffer
overrun occurs. With the non-executable memory pages that AMD has in
their x86-64 chips a buffer overrun tends to just become a DoS attack
instead of a remote exploit. Definitely an improvement, but by no
means a surefire fix, and it is still possible (though somewhat
difficult) to get a remote exploit with a buffer overrun, even with
non-executable pages.

The Trusted Computing stuff takes this a step further, and in that
regards it should be a welcome addition. However it's the other stuff
that makes it seem rather.. umm.. frightening I suppose.
 
Jan Panteltje said:
Translation:
Intel chips with build in security.
The chip manufacturer Intel has now
announced its next generation processors for
mobile computers, that have fixed integrated
security measures against hacker attacks
and also copyright violations.
Click to expand...

- cut the marketing crap -

Intel finally will include random number generator in mobile
processors just like Via did some years ago.

or

Intel will ad NX bit in desktop processors following AMD trail.

or

Intel will screw itself including "Trusted Computing" crap forced by
M$ idiots. Same "Trusted Computing" was behind Passport security
leaks and all W2003 worms (W2003 is TCG certified lmao).


Pozdrawiam.
 
So, is this like the processor serial number? Not exactly. The TCG
technology has some potentially very useful technology while the
Processor Serial Number did not. On the flip side, there are some
potentially downsides to this TCG stuff, while the serial number was
pretty much pointless.
Click to expand...
But does it have some unique ID?
Not that give a .... my IP address and ethernet Hwaddr already uniquely
ID me.
But this I KNOW, in my view users should be informed if they are traced.
JP
 
So, is this like the processor serial number? Not exactly. The TCG
technology has some potentially very useful technology while the
Processor Serial Number did not. On the flip side, there are some
potentially downsides to this TCG stuff, while the serial number was
pretty much pointless.
Click to expand...

I think so far, in the hands of folks with power, the potential
downside seldom has the word "potential" after a while. The potential
usefulness often remains at potential.

--
L.Angel: I'm looking for web design work.
If you need basic to med complexity webpages at affordable rates, email me :)
Standard HTML, SHTML, MySQL + PHP or ASP, Javascript.
If you really want, FrontPage & DreamWeaver too.
But keep in mind you pay extra bandwidth for their bloated code
 
Stacey said:
Tony Hill wrote:



I'd think if they eliminated buffer overruns in hardware, most security
issues would be solved, at least from where I'm at. Almost all the linux
security issues are caused by that and many of the windows ones as well or
so it seems from reading all the patches.
Click to expand...

I thought most windows issues were caused by outlook and window's
bad habit of executing carefully crafted email attachments. Things
like mypictures.jpg.exe, or one of the newer ones, something.jpg<bunch
of spaces>.exe. MS seems to be trying to fix their poor design
decisions by yet more hardware.

The linux security issues do seem to be mainly buffer overflows,
although an occasional kernel security issue does creep in.
 
Stacey said:
I'd think if they eliminated buffer overruns in hardware, most security
issues would be solved, at least from where I'm at. Almost all the linux
security issues are caused by that and many of the windows ones as well or
so it seems from reading all the patches.
Click to expand...

So long as variable length data (usually local char arrays)
are stored (on the stack, usually) where they can walk over
return addresses, then buffer over-runs will exist with severe
security consequences.

The currently discussed "hardware protection" is nothing more
than making the stack-space non-executable. That will stop
those attacks which bring in executable code. But not those
which simply bring in data, and alter the return address to
a suitable fragment in the original, unaltered executable
(exec `/bin/sh`)

-- Robert
 
But does it have some unique ID?
Click to expand...

My understanding is that yes, you can uniquely identify a PC by it's
Trusted Computing Processor (or whatever the name of it is today).
Not that give a .... my IP address and ethernet Hwaddr already uniquely
ID me.
But this I KNOW, in my view users should be informed if they are traced.
Click to expand...

They should be, but aren't today. I don't think this Trusted
Computing stuff is really going to change things much here, as you
mentioned the ethernet MAC address is already unique as far as 99.9%
of all users are concerned (yes, it can be changed, but virtually no
one does change it). Similarly you can get a serial number from your
hard drive to uniquely identify a PC, or you can go the Microsoft
route and get a sort of hash of all the hardware in the system.

The TCG stuff works in almost the exact same way as all of this, it
just automates things a tiny bit more, ie the application just
executes one bit of code specifically designed to get this information
rather than pulling it out of a variety of sources.

Note that this doesn't mean that web sites can secretly spy on you
because of this. As long as your browser isn't COMPLETELY broken
(read: as long as you are not running Internet Explorer with it's
enormous multitude of security holes) it's not possible to execute
arbitrary code like this just by viewing a web page. However if you
install an app on your system it could well read the TCG number and
report back to the app writer.
 
Tony Hill said:
It's not really possible to eliminate buffer overruns in hardware,
just to limit the amount of damage that can be caused when a buffer
overrun occurs. With the non-executable memory pages that AMD has in
their x86-64 chips a buffer overrun tends to just become a DoS attack
instead of a remote exploit. Definitely an improvement, but by no
means a surefire fix, and it is still possible (though somewhat
difficult) to get a remote exploit with a buffer overrun, even with
non-executable pages.
Click to expand...

I've said it before, and I'll say it again. If these OS designers had just
implemented the Intel segmentation mechanisms to separate out code from data
and the stack, this stuff would've never ever happened.

Yousuf Khan
 
My understanding is that yes, you can uniquely identify a PC by it's
Trusted Computing Processor (or whatever the name of it is today).


They should be, but aren't today. I don't think this Trusted
Computing stuff is really going to change things much here, as you
mentioned the ethernet MAC address is already unique as far as 99.9%
of all users are concerned (yes, it can be changed, but virtually no
one does change it). Similarly you can get a serial number from your
hard drive to uniquely identify a PC, or you can go the Microsoft
route and get a sort of hash of all the hardware in the system.

The TCG stuff works in almost the exact same way as all of this, it
just automates things a tiny bit more, ie the application just
executes one bit of code specifically designed to get this information
rather than pulling it out of a variety of sources.

Note that this doesn't mean that web sites can secretly spy on you
because of this. As long as your browser isn't COMPLETELY broken
(read: as long as you are not running Internet Explorer with it's
enormous multitude of security holes) it's not possible to execute
arbitrary code like this just by viewing a web page. However if you
install an app on your system it could well read the TCG number and
report back to the app writer.
Click to expand...
What really worries me about all this, is that your PC will possibly
become just a terminal to a MS authentication server (or the States
or whatever regulating authority), where they will be able to deny
even net-access if you do not run THEIR software and hardware.
OR, force you to upgrade.
Something like customer binding.. but then with a big lead ball on your
foot.
Absolutely these systems should NOT be part of a processor, and given a
choice I would buy from the competition.
Not only that, it is technically very possible to have some logic in
the mobo chipset that stores keyboard strokes, and sends these over the
net upon request to some NSA(for example) URL.
With only 2 processor manufacturers and just a few chipset makers, this
is a real danger.
It would become a real disaster if the system was hacked, as every bodies
secrets would be out.
We should really do whatever we can both technically and politically to
avoid such a system becoming a reality.
I do not want to give up my computing to some big corporation, MS, or a
state controlled by it.
I do not want to see Linux killed by it (and that included IBM too) by
having a system that lets only 'authenticated' PCs connect to the net.
the servers will of cause be the next target from that group, and once
they get their hands on the servers, or routers even, they can do what
they want.
IF laws need making, let us start giving food to the lawyers by having them
look at protection of free Internet traffic, independent of system, country,
OS, and everything else.
JP
 
What really worries me about all this, is that your PC will possibly
become just a terminal to a MS authentication server (or the States
or whatever regulating authority), where they will be able to deny
even net-access if you do not run THEIR software and hardware.
Click to expand...

having a system that lets only 'authenticated' PCs connect to the net.
the servers will of cause be the next target from that group, and once
they get their hands on the servers, or routers even, they can do what
they want.
Click to expand...

Oh yes, this is precisely the worry. Once a standardized system is in
place, with the mass market volume of x86 consumer system, it would be
an easy, logical next step for them to start implementing surveillance
and control systems into the internet structure.

From then on, forget about free speech and all that nonsense.

--
L.Angel: I'm looking for web design work.
If you need basic to med complexity webpages at affordable rates, email me :)
Standard HTML, SHTML, MySQL + PHP or ASP, Javascript.
If you really want, FrontPage & DreamWeaver too.
But keep in mind you pay extra bandwidth for their bloated code
 
[email protected] (The little lost angel) wrote

uhm .. carnivore :/
Click to expand...

Is that thing still around, are they really using it already?

--
L.Angel: I'm looking for web design work.
If you need basic to med complexity webpages at affordable rates, email me :)
Standard HTML, SHTML, MySQL + PHP or ASP, Javascript.
If you really want, FrontPage & DreamWeaver too.
But keep in mind you pay extra bandwidth for their bloated code
 
What really worries me about all this, is that your PC will possibly
become just a terminal to a MS authentication server (or the States
or whatever regulating authority), where they will be able to deny
even net-access if you do not run THEIR software and hardware.
OR, force you to upgrade.
Click to expand...

That is a VERY big jump from what the TCG group in implementing.
There is absolutely NO WAY for the current TCG stuff to ever do what
you're talking about, it would have to be a SIGNIFICANTLY different
technology. Now, will one thing lead to the other? Well that's
another question...
Something like customer binding.. but then with a big lead ball on your
foot.
Absolutely these systems should NOT be part of a processor, and given a
choice I would buy from the competition.
Not only that, it is technically very possible to have some logic in
the mobo chipset that stores keyboard strokes, and sends these over the
net upon request to some NSA(for example) URL.
Click to expand...

You do, of course, realize that this could happen right now with
spyware applications. Implementing it in hardware would still require
software support (drivers at least), ie you would need spyware
installed regardless of what hardware you had. If this has to be
supported in the operating system anyway, why would someone bother
with trying to stick this on hardware? It would be much easier and
cheaper just to do it all in software.
With only 2 processor manufacturers and just a few chipset makers, this
is a real danger.
Click to expand...

A bigger danger is that there is only one main operating system
vendor. As mentioned above, you need the OS to do this regardless of
any hardware backend.
I do not want to see Linux killed by it (and that included IBM too) by
having a system that lets only 'authenticated' PCs connect to the net.
Click to expand...

I somehow don't see this happening. It's not in anyone's interest
other than Microsoft to allow this, and while Microsoft has a lot of
power in the PC industry, they don't have THAT much power.
Particularly companies like IBM, HP, Dell, Intel and AMD would all
gang up against such a plan.
 
You do, of course, realize that this could happen right now with
spyware applications. Implementing it in hardware would still require
software support (drivers at least),
Click to expand...
You make some good points, and I hope you are right.
But implementing in hardware in the chipset would need no software or OS
or anything else at all, hardware buffer for the keystrokes, compare
incoming request in on board ethernet versus (encrypted likely) Hwaddr
send to (encryped) url, be done, OS would not know.
Sort of the ultimate backdoor, right there on the mobo :-)
If it can be done it will be done.
Maybe by a Dr Strangelove, or some group with power in the gov, like that
Homeland group...
If you were in their position, well I would press for it to be implemented.
Fun times as always.
JP
 
Back
Top