 Welcome to my talk on the trusted computing platform Alliance, the motherboard of all big brothers. I'm Lucky Green. Some of you may have seen some talks here before in years past. This one will be a somewhat unusual talk. The reason why it will be unusual is because you will hear a tale of epic proportions. You will hear about conspiracies and deceit. You will hear details about conspiracies that some certainly would say are conspiracies that have been going on in some cases for as much as seven years. I'm quite glad that I've been scheduled after this very interesting talk by a scholar of attorneys which had certainly addressed some of the details of the DMCA. Because this talk too will, by necessity, even though it's mostly a technical talk, have to address some of the issues that DMCA is raising probably to most of us that are interested in how our equipment works. Some of you may have heard sense of Microsoft's Palladium initiative, which is very much related to the initiatives of the trusted computing platform Alliance. I won't talk about Palladium specifically, except that Palladium is really a subsection of the TCPA with some slight modifications. The Palladium effort grew out of the TCPA effort. Microsoft has made some minor changes to the underlying architecture, but many of the components and most importantly all the conclusions remain intact. So, first of all, what is the TCPA and what are its business objectives? The TCPA's business objectives are fairly straightforward. Its members wish to prevent the use of unlicensed software, such as say copies of Microsoft's licensing fee or that could be copies of an operating system, but naturally it also will be copies of digital content. A key component of TCPA is to mandate and make stick. From a technical perspective, not just from the legal perspective that the DMCA allows you to make copy protection stick. From a technical perspective, make it stick that you will not be able to rip CDs, you will not be able to create divixes. It will plug the analog hole and I will later get into what the analog hole is all about and why Senator Hollings is very much interested in the analog hole. It will, which is probably the most insidious aspect of the TCPA, enable a truly Aurelian information flow control scheme that is so far unthinkable because the technology is until the TCPA simply hasn't existed. Lastly, perhaps not lastly, an additional objective of the TCPA is to grow the market for the PCs. Here's why. One of the TCPA's founding members is Intel Corporation. Intel, as most of you know, makes most a fair chunk of its money from PC microprocessors. Intel owns most of the market of the PC microprocessor. Really AMD's only left as a competitor and they're not a very big one from Intel's perspective. So how does Intel grow the company? As far as Intel is concerned, the way to grow the company is by growing the market for PCs. One market niche that has been identified are home entertainment center PCs, such as many folks already have set up their own video servers and MP3 servers at home. It's quite clear that there's a consumer market for such a product. Intel intends to be providing the chips. And then an issue that, of course, can never be forgotten. Whenever you see these large industry initiatives, they cannot be pulled off without government cooperation, or perhaps one should say government collusion. The government too has some objectives they wish to see their operational needs met. That could be the FBI, that could be the Office of Homeland Security, the NSA, and let's not forget about non-U.S. law enforcement agencies, which have needs of their own that are perhaps somewhat different from the needs of those in the U.S. How does TCP accomplish these business objectives? It does so to sum it up in one sentence by preventing the owner of a computer from obtaining root access. That is you. By taking away a root from the owner, and giving a root to third parties, such as those mentioned on the previous slide, and making it stick from a technical perspective, the members of the TCP believe that they can finally do away with all these pesky cracks and hacks and seal numbers and binary patches to MSO.DOL that will make the registration codes go away, and all these other things that they feel are costing them money. How is this accomplished? It's accomplished by adding a whole new mode to either the chipset or the CPU. There will be three levels of access. Privileged access, which is available to TCPA members only, and the clientele. Underprivileged access, which will be available to you. And unprivileged access, which will be available to non-TCPA applications, basically dental code that you simply don't trust. Where is all of this coming from? The trusted computing platform Alliance has a somewhat interesting history. It grew out of a number of efforts, certainly process idea of Intel, big failure, big public failure in 1998, but just because Intel was crucified by the press and at the time by its competitor AMD does not mean that the ideas have gone away. It simply means that the ideas have somewhat changed and the implementation cycles have lengthened. The implementation is still very much in track. The concept of encrypted CPU instruction sets. I first heard about encrypted CPU instruction sets coming out of Intel. I think it was in 1995. At the time, Intel fully intended to roll out encrypted CPU instruction sets as the second phase after the processor ID. When the processor ID went down in flames, Intel decided that perhaps now might not be such a good idea to roll out encrypted instruction sets. Or suffer the same fate. So encrypted instruction sets, again, have been put in the back burner. They have not gone away. The international cryptography framework by HP, few people remember, it was a fairly big initiative. And then of course, smart cards on the motherboard, which IBM is working on and a few other initiatives that I don't really want to get into at this point. Who is the TCPA? The TCPA was founded in 1996 by Intel, Microsoft, HP, Compaq and IBM. There are many DRM initiatives out there. Some of them have been founded by the content owners. This is a different initiative. Intel, obviously, Microsoft is the largest operating system and application vendor on the planet. HP, Compaq and IBM, between them own a fair share of certainly the business side of the platform market. And Intel, of course, provides the CPUs to the vast majority of these PCs. So really the TCPA is a form of platform product vendors. Who has since the initial founding members joined the TCPA actively? On the CPU side, we have Intel, advanced micro devices in Motorola. Hands up here who has, for their daily primary computer is using a PC that is not using a CPU by one of these three operating system vendors. One, two, three, four, okay, we have a few. Not very many. The BIOS and chipset vendors, or as they say, the BIOS vendors and some specialized chip vendors, Phoenix slash award, they have merged. AMI, National Summit Conductor, which again, amongst them, accounts to the overwhelming majority of the BIOS market. On the security side, perennial favorites, VeriSign, WaveSystems, RSA Security, Checkpoint, Certicom, Trend, Micro, Semantic, Clipwire, and the Swiss Crypto AG, which is probably best known for the fact that they actually put our NSA traps into their equipment. For many years, one of the sales folks was arrested by the Iranian government, must have been at least 10 years ago for selling the Iranian government NSA spiked equipment. Crypto AG immediately fired the poor guy who was rotting in an Iranian jail, even though he was the best selling salesman of the company, had been so for many years. Not really, it's essentially the European vendor branch of the NSA. On the application side, we have Microsoft, Little Surprise there, and Adobe, Very Little Surprise there. The scholar of case that you heard about just in the presentation earlier, of course, was all about Adobe. Adobe called the FBI to ask the FBI to please pick up scholar of criminal charges. Adobe later on distanced themselves from the activities, but the bottom line is it was Adobe who got it all started. System side, again, you have seen these names, HP, IBM, Dell, Gateway, Fujitsu, Samsung, Toshiba. All the major platform vendors, all the major laptop vendors, except Sony, which is a different story, are arrested later. All in all, the TCP has 170 member companies. I know the font is too small to read. Suffice to say, it's the who's who of the platform market. Alright, how does TCP work? Let's talk about the technology. There are two phases. Let's talk about phase one. In phase one of the TCP, a trusted platform module, or TPM, which was Anderson and his FAQ about the TCP lovingly calls the Fritz chip, after Senator Fritz Hollings, who has currently a bill pending in Congress, that I'll talk about in more detail later. What's the Fritz chip? The Fritz chip is a tamper-resistant chip that will be included on all future motherboards. A little while from now as to how long is unclear, you should see the first such motherboards probably showing up on the store shelves, according to an analyst at Gardner Group that I've discussed this with, about in the first or second quarter of next year. At that time, not all your motherboards will have the chips, but the first motherboards with these chips will start shipping about Q1, Q2, 2003. That's according to the Gardner Group. The chip will be surface mount. It can either be a separate part of the motherboard, or it might be integrated with the existing chipset on the motherboard. It really is up to the chipset manufacturers and the motherboard manufacturers. The chip will be a comic-artier EL evaluated to EL level 3 augmented, which is really the highest security evaluation level you can do for a part at the cost constraints that the manufacturers were under. You can do certainly better. You can get a device, say, one of the boxes from inside, etc., but now we're talking of thousands of dollars. You can't add thousands of dollars to the cost of a motherboard, or you will no longer sell any. The cost of the part realistically has to be down somewhere in the dollar range. What does the TPM do? It has two major areas of functionality. One is measurement, which I like to think of as snooping. And the other one is reporting, which is probably best thought of as snitching. Let's look at the measurement side. On the measurement side, you have the components that you would expect. You have an engine that supports basic cryptographic operations. You have a secure cryptographic key store. As I'm speaking here, I'm using terms such as trusted and secure. They're used in this presentation and by the TCP and its members somewhere differently than most of you probably would and most of its customers would. Trusted here means trusted by Microsoft to prevent you from copying their software and trusted by Disney to prevent you from watching their movies without giving them a dollar. Secure here means inevitably secure from the owner that is secure from you. This secure key store allows the applications that make use of the TPM to securely store keys that the user and the application will necessarily be able to read out. There is the expected key management primitives and there is something that I call the boot process hashing because one of the measurements that the TPM engages in is measuring all the components of the PC boot process. I will show you later as to how this works and what these components are. Let's look at the cryptographic operations. What would you expect? There is built-in support for hashing, Shell One and HMAC. There is a random number generator built into the TPM. Yet again, much to my dismay, just as we saw with the random number generator by Intel, we are only given access to the post widening output. The cryptographers, amongst you, will know that what this means is that you have absolutely no assurance that this random number generator is actually good or in fact is fully deterministic with just a 20-bit seed. You simply have no knowledge and no worth determining the quality of these random numbers. This is not accidental. The common criteria evaluation specifications mandate that the user not be given access to the wall bits or anything pre-widening. Why I leave it to your imagination? The bottom line is that neither you nor anybody else will be able to determine whether this random number generator actually is trying numbers or is spitting out predictable values. You have your expected asymmetric key generation. It's 2048-bit RSA, which is actually one of the few changes that the design has seen in the last few years. It initially was specified a 1024-bit, but Microsoft and Disney apparently felt it and Intel felt it insufficient to protect their connects copies of Snow White, so they moved up to 2448-bit. You have the expected asymmetric key and crypt decrypt and symmetric and crypt decrypt. Initially, the specs called for triple those because AES had not yet been specified, but with AES specified, probably what you will see is the use of AES. Then, as I mentioned earlier, there's a tamper-resistant hash-in key store. All right, let's look at the key management. Am I going too fast? Can you guys hear me? All right. There's a lot of ground to cover and we only have an hour or actually only 45 minutes, so I'm trying to rush through this talk a bit, but there's a lot of information. They've been working on this for a long time and they've thought about it very hard. You may wonder how to actually know about this. I initially found out about it quite a few years ago, but I must confess in public that I spent an entire year sitting on a TCPA working group. I sat in the working group because at the time I believed that this might be a modelist technology to secure what's sitting underneath my operating system. I don't trust the hardware that my OS is running on. I thought that TCPA was the way to give me the assurance that I can trust my hardware. I ultimately realized it was unable to do that and moreover it was able to do other things that I by no means wanted to see done. Learn a few things. And just for the record, all this information is public information. I'm not violating any NDAs. The TPM is at the factory equipped with a TPM unique, which means motherboard unique endorsement key. This is an RSA key that's signed by the TPM manufacturer's key, which in turn is signed by the TCPA master key. It's a key hierarchy that goes back to the TCPA master key. We do not know, I do not know, nobody that I know that's able to talk about it knows who owns this TCPA master key. It would be a marvelous topic to determine. This key is used to determine that the TPM is genuine and it's not just something that pretends to be a TPM on the legal of the keys and therefore allow it to not pay for Microsoft Word. Once the user takes possession of the TPM, the user then generates key pairs, multiple key pairs if they wish, submits those to a CA for certification and the TPM signs this certificate request with the TPM endorsement key that's proving to the CA that the keys were generated by a real TPM which in fact does not have access to the private keys. Let's look at the hashing. I don't know if you can see this graph, but I'll try to run you through it. Let's take a look at a trusted computing platform pre-operating system boot process. This is really just the standard PC platform boot process with some enhancement. In the top left, we have the root of trust. You have to start trusting somewhere from something In the TCPS case, you have to trust the bias boot block. The bias boot block, if the bias boot block is compromised, all bets are off. However, if there are various reasons why it's hard to replace the bias boot block in this case. The bias boot block loads the bias. After the bias, you have the various option arms load for example, your Ethernet cards, your SCSI cards, your option arms might be loaded after the bias is loaded. If you look at the right side, you see in the gray area that's the TPM and it's associated storage area, which by the way is unlimited. The TPM, very similar to what Encypher is doing with the key blobs, the TPM simply A as a triple does encrypts the data and then stores it as an opaque file and disk. Thus, the potential protected storage area behind a TPM is as big as your hard drive. A TPM stores the hash, option arms are being hashed. The hash is loaded, option arms are loaded. Then you load the Digital Rights Management Bootloader, the hash of that is stored, which finally loads the Digital Rights Management Kernel. The Digital Rights Management Kernel is what Microsoft in the Palladium Initiative calls the Nub. I don't know why they call it the Nub. Or Trusted Operating Route. The Trusted Operating Route is essentially, it's very similar to a MicroKernel that gets loaded before your existing kernel, be it Linux or NT, your existing ring zero supervisor, before your existing ring zero supervisor code ever gets loaded, you're already running on top of a DRM MicroKernel. After the DRM MicroKernel loads, it loads the operating system. The TPM against throws the hash. There may be an additional step. When I'm speaking of an operating system load, this is a generic operating system. This is what TCP allows an operating system vendor to implement. Not all operating system vendors will implement all features. This is the sum total of the features that you can put in. What you frequently will find is that either the entire operating system or critical parts of the operating system will be encrypted on disk. What happens is the TPM loads the machine-specific decryption key of the operating system binary, decrypts the operating system encrypted on the drive, so you don't actually know what the operating system does anymore because it's AES encrypted, so there's no more reverse engineering or patching an operating system without permission. The operating system gets decrypted and the AES binary gets decrypted, loaded as usual. In phase one, the decryption of the symmetric decryption is actually taking place outside the TPM. The TPM decrypts, the TPM provides an internal RSA key which decrypts the AES key, but that's not initially done in hardware because it was too expensive, which of course means that there's an avenue for attack in future versions of the TCP of course in the proposed Microsoft Palladium. This would actually be done at the CPU level, thus requiring you to go through some fail-invasive measures to actually get the decryptor. The operating system gets loaded and initially the operating system will load an approved hardware list, which I will just call here an HCL, and the initial serial number of a vocation list, an SRL, you may wonder what the heck is a serial number of a vocation list, I've never heard of that, we'll get to that. The TCP, the trusted computing platform operating system is, are you getting scared yet? Yeah, you should. The trusted computing platform operating system is now in a known initial state. What do we know? We know the BIOS is TCP approved. As far as these approvals are concerned, if you think you can get an approval for your distribution of Linux, your limb distribution, then you're out of your mind. The BIOS is TCP approved and signed, the PCI cards or TCP approved and signed, or at least the expansion realms are. Of course, who would get signatures for the devices? Well, certainly nobody who cannot certify that the DMA channels used by the devices do not enable unapproved access to operating realm, because with DMA, of course, you can just go straight to the operating realm without ever going to the CPU and it's DR and microkernel. Hence, you need to know that the hardware that hence no assurance that you don't use DRM to get at Snow White, no signature for you. You also will know that no kernel of the debugger is loaded because the operating system binary is hashed. You have a hash of all the modules. You know for a fact that there is no way for the user to get at the raw bits. You have an initial list of undesirable applications that you are not allowed to run. That's our serial number of vocationalists. Let's give some examples of TCP or TCP-like operating systems. This is, of course, Microsoft's Palladium. Take a look at the DRM or its patent that will go into some more details as to what this is all about. What didn't make it on the slide, both HP and IBM are coming out or planning to come out and are actively working on TCP-a evaluated versions of Linux that actually will have been subjected to security evaluation. Again, I will talk about these a little bit more later. What does the trusted computing platform operating system initially do? It first starts a secure time counter. There will be no turning back the system clock. Why is that important? Well, if you say a rent, a video for a week, we certainly wouldn't want you to watch this after 10 days. Or if your Microsoft Word license will be for the period of a year, then you certainly should not be able to run it after a year and a half. The operating system then synchronizes against an NDP server. Finally, it goes over the Internet, obtains a new hardware control list and a new serial number of vocationalists. This doesn't have to happen every time the OS boots up. There will be metrics that will allow you to work in an offline mode. You don't have to always be connected. But say if you don't connect for a week, your DVD may no longer play. And if you don't connect for a month, then perhaps your work process will no longer work. The exact time is your DVD. Now, in the pre-application mode, there will be two primary application loader protection modes. The first one is mandatory. In a mandatory mode, the operating system will simply flat out refuse to load any non-TCP approved applications. Or applications that are on the serial number of vocationalists or just otherwise deemed undesirable. There will also be a voluntary mode in which the operating system will load a non-approved application, sending a signal to all running applications that the system has been compromised by its owner to please clean up after itself. As a result, and I actually have a little graph here, a little table of how this works, if you're running in voluntary mode, you can load an unapproved application, but all the applications that are expecting the dealer and microkernel to guard them against the user will then simply shut down their lives out their memory and ask the operating system to clean up after themselves before your application ever gets on the memory. What will the application do if it's been loaded? Well, the application of course verifies the hatches that are stored in the TPM that we stored earlier. It verifies that it in fact is licensed for the particular platform, as I mentioned earlier. Each platform owner will have keys that are specific to the platform, so you will know for a fact that this copy of Office is licensed to this particular motherboard and no other motherboard. It will verify the license duration, say if you have a license that's time-limited, which under that scheme most licenses probably will be, because you can now actually finally make time-limited license stick. It will obtain a first-year number of application lists from the net. It will verify that mandatory applications are running. One example is there are a number of application vendors out there that are nowadays subsidizing the application by means of Spyware, be that Gator or whatever. There's a bunch of them out there. You folks have seen them. But what they found is that there are users out there that will just simply uninstall the Spyware that's running on their PCs and that's getting the benefits of the free software without the drawbacks of the Spyware. Under the scheme, you can guarantee that an application that you deem necessary for the application to run such as Spyware is in fact loaded, operating and unpatched or otherwise disabled. Then the application in some cases will obtain a fresh document or a vacation list from a number of document or vacation servers. I will explain to you what document or vacation servers are again on the later slide. Only at this point the application will actually accept user input or do anything with your documents. Why? What can... Why are the application vendors so keen on it? Well, as I mentioned earlier, there's a revenue enhancement issue. There is a... It allows, at least the belief, it allows them to grow the market. Here we have some good quotes. Bill Gates says, we can think of this about music, but then, as in digitalized management of music, but then we realize that email and documents were far more interesting domains. Why email and documents far more interesting domains? And Stephen Levy wrote in the article that in the Expo about Microsoft's Palladium on Microsoft NBC, he wrote, you could create word documents that could be read only in the next week. So we get to the first quiz. How will the law help the TCPA and its members start for competition? Here's why. The application vendors, such as Microsoft and Bill Gates said so as much in the interview, intend unwrapping all their file formats in digitalized management. Those of you who were here for the previous talk will know the answer. So what's the question then? The question is, what is a federal prosecutor call an application that is compatible with a proprietary DOM-wrapped file format? Any takers? A circumvention device, exactly. It's an illegal infringement device. That's correct. An illegal infringement device. What does it mean if your compatible application is an illegal infringement device? It means that the software author who wrote this application is subject to $500,000 fine and five years in prison, double that for each subsequent offense and for writing a comparable application. That doesn't even require any rules. That law is already in the book. It's called the Digital Millennium Copyright Act. So that leaves software authors with two very simple choices. The moment file formats are wrapped in DRM, you have two choices you cannot create into operable software or you can spend five years in prison. That's assuming that you only have one user. If you have more user that adds another 10 for each additional user, which is not to say that they'll put you away for 100 years, which they probably wouldn't, they will simply come to you and say, well, we can put you away. There's about an 80% chance that we can put you away for a very, very long time. Are you willing to take the chance or will you just simply plead guilty and take the five, six, 10 years that we're offering you? Your attorney will probably tell you, and I'm not an attorney, but I hope there may be some attorneys in the courtroom, in the courtroom. But your attorney will, I believe, and I'll likely will tell you that you're better off to take the deal. And you probably will fill the same way. We talked about measurement. Let's talk about reporting. So we have the snooping. Let's get under the snitching. TPM reporting is about reporting state to challenges. Challenges can be the local operating system. It can be the application. In most cases, though, it will be a remote challenger. A remote challenger is a challenger that requests state via the Internet. Digital content servers, secure time servers, and information authorization servers. Looking at reporting to remote entities, the remote challenger, which could be any of the above entities, can determine that the platform is in an approved state. The owner of the machine does not have privileged access to the CPU. The operating system and application software are fully licensed to that machine with maintenance fees paid. The operating system and applications are completely utterly unpatched and modified because otherwise they have a hash word and check out. And of course only approved applications are loaded if that is of interest to the application vendor or content provider. What features does TCP enable? It enables, first and foremost, to secure an ongoing revenue stream. TCP makes it trivial to enforce annual licensing fees. It allows you to stifle competition, which we've discussed. What else does it allow you to do? It allows you to defeat the GPL. It allows the vendors to enable, the inventors and the courts and the intelligence to enable information and validation. It facilitates intelligence collection and of course it meets the needs of law enforcement and many, many more. We've talked about the first two. Let's talk about the next one. Let's talk about how does the TCP allow an application vendor to defeat the GPL. HP and IBM are developing a TCP compliant version of Linux. Now, a question that has been raised by Ross Anderson, a researcher of UC Cambridge of Cambridge University in the UK was how do they plan on making money of this? After all, the GPL requires that their result is covered by the GPL is just as much open source because they have to give it away for free. The evaluation process, an E3 evaluation process for an operating system requires literally stacks of documents this high. It is a bureaucratic nightmare. It requires many months. If you get away with $500,000 for the process, you get away cheaply. So how do they make money of it? It's simple. Yes, they will not, neither IBM nor HP nor anybody else going through the process will deny that the result is covered by the GPL. They fully will admit it. You will be able to download the source code. You will be able to download. You will be able to compile it. You will be able to patch it. You can't do absolutely anything except run it in trusted mode. Your operating system will do anything. It just won't run in supervisor mode, on which side it does away with some of the utility of the operating system. Why will it not run in supervisor mode? It won't run in supervisor mode because you don't have the right certificate. You will need a motherboard-specific certificate in order for the operating system to access privileged mode on the new motherboards. Well, you don't have that certificate. Even if HP and IBM were to publish their own certificate, it only works on their motherboard. It doesn't do you any good. So, there were some suggested fixes to the GPL. I'll go over a couple of them. The first one is to require a software office to provide whichever services are necessary to enable an application to operate as the user desires. First and foremost, it would kill the GPL. It violates rigid statements, free speech versus free beer principle because it would require the application vendor to create a certificate for each user. They may not be able to do that at any rate. They would have to provide a service to each user. I say the user sends them a key. They would have to send them back a cert. That's no longer permitting free speech. That's providing free beer. Furthermore, the application vendors can't just provide you with a master key because the TPM, of course, does not just secure HP or IBM's version of Linux. It also secures Snow White. If IBM and HP were to provide you with a master key, chances are you would be able to decrypt other digital rights management and encrypted software and thus, that would be the violation of DMCA. Lastly, in many cases, you will have third-party vendors, such as various sign-sign certificates. You can't conceivably mandate that a third-party vendor provide a service that isn't even part of your contract. What did Richard Stallman have to say about this? I talked with him about it. His reply was, treacherous computing is a major threat to our freedom. I think I would agree, and it is treacherous computing. Let's look at information and validation. As I mentioned earlier, applications will be able to query document revocation lists for the latest document revocation lists. Not all applications will implement that. So far, there are no TCP-enabled applications. However, some application vendors have already begun at looking at additional digital rights management, not just time-based, but also revocation-based. For example, you may wish to want to be able in a company to implement mandatory access control. Only employers can access the data. But even after that, you as the creator of a document may wish to have the ability to at some point enforce that the document will be superseded with a new version. For that, you need to be able to recall the document that you have written, but you don't know who has that copy of the word document. It could have spread anywhere. Consequently, what you need is our servers that allow you to invalidate and revoke documents. There are a number of reasons why a document might be placed on a DRL. Application vendors could, though I suspect they will not because I believe they do not wish to take the heat for such a step, application vendors could invalidate a document generated by a specific application. If it comes out that your application was cracked, was hacked, was stolen, and the application vendor finds out which of these federal numbers has been spread all over Dutella, the application vendor could revoke all documents ever generated by the application. So not only will the application stop working, but any document you've ever generated with it will no longer display on anybody's computer. I don't think the application vendors will do that. I think it's too ambitious. I believe the legal ramifications are too sketchy even for the application vendors. It could be mandated by a court order. For example, the document in question might contain the horsemen's of the infocalipse, instructions for narcotics trafficking, job pornography, the next version of DCSS, whatever the case may be, whatever the government doesn't want you to see, whatever the vendors don't want you to see, if they can take their case to a court and the court will issue injunction, that the following leaked document, the following information is not in the best interest of, or is against the law I should say, then your documents could be invalid globally. It could be local illegal content. Pictures of women without veils are illegal in Muslim countries. As I mentioned, copy control ciphers are illegal, or at least the content providers claim are illegal to be republished in the U.S. as the DCSS DVD CCA case showed. The list of reasons is essentially unlimited as it is for censorship. It facilitates intelligence collection, documents signed by user keys, very much simplified activity correlation. Yes, you can have multiple keys, but how many keys are you going to have? Two, three, five, ten? You won't have a hundred, and even if you had a hundred, how do you keep track of a hundred keys? Especially if it comes out that you have to pay per key because, of course, very signed ultimately will not sign your keys. For free initially, sure, you may not have to pay, but do not believe for a moment that the service will be free in perpetuity. A globally unique document at this, of course, obviously is facility traffic analysis, and this preemptive information validation greatly simplifies information flow control if information has leaked out, say, by a disgruntled government employee who decides that they wish to share with the public some of the shenanigans that the government was up to, they can just take the document and invalidate it. Law enforcement needs. The moment you have DRM, the moment you have digital signatures on documents, the moment this key is being kept in hardware and can be proven to have never left the hardware because it's a hardware security module, you have undeniable proof of authorship. Law enforcement likes undeniable proof of authorship. Courts like undeniable proof of authorship. Proposing parties like undeniable proof of authorship. You have the document I've talked about. Now what happens if a document gets invalidated? Let's say there's a document that contains what the NPA asserts is illegal decryption software. Let's say the document gets invalidated. You still need to be able to access the document in court to prove that this guy in fact was trafficking in a mathematical equation that could be used to decrypt Snow White. Well, needless to say, there will be special versions for special people that have different rules of access control that law enforcement purpose, evidentiary purposes that these special versions, however, will never leak out into the public because just as the applications I mentioned earlier, they're key to a specific motherboard. They simply won't run on any other motherboard. Will the TCP meet government requirements? Let's ask Microsoft. Mari Huarez, the Microsoft palladium, which is the TCP variant product manager, said we're talking to the government because there are governments in the world and not just U.S. governments, all of which needs to be met for a global initiative such as this to actually take off. Let's quickly look at Fritz Hollings' bill. I was mentioned briefly earlier. Fritz Hollings' bill's objective is to plug the analog hole. Fritz is a senator in the U.S. Senate with 2048-bit RSA. What does this mean? Encrypt monitor out, encrypt video out, encrypt audio out. Do not give the user an ability to get at the clear text, the raw analog data coming out of a mini-dint jack. In Microsoft's case, they also plan to additionally encrypt the keyboard. This bill would make it illegal in the United States, if passed, would make it illegal in the United States to sell in the future, sell motherboards that are not equipped with TCPA-compliant computers. Earlier you may have thought this is just insane. Nobody will buy this stuff. You won't be given a choice. You will buy it. Or what else could happen? Let's take another quiz. What is the penalty a person selling a non-TCPA-approved computer will face under the Hollings' bill? Answer it. A fixed ticket. Anybody here believe it's going to be a fixed ticket? All right. We have a few. You guys lay off these drugs. I know it's DEF CON, but still. We have six months in jail. Who thinks it's six months in jail? Nobody. And then answer C, a $500,000 fine and five years in prison for the first computer you're selling that doesn't comply to the TCPA. Double that for each subsequent offense. All right. All right. We're making progress here. That's correct. The correct answer is C, $500,000 fine and five years in prison for the first computer you're selling and potentially 10 years and a million dollars for each subsequent computer you're selling. But Palladium will be... It releases open source. We have good news. Microsoft announced that Palladium's source code will be published. The group VP for Windows says we're trying to be transparent in all of this. Some take this as proof that Microsoft has changed its business practices. Now there's continuity remain skeptical. Yet onto another quiz. Why is Microsoft releasing their source code? That just seems out of character some would think. Here are the answers. Answer A, Microsoft intends to place Microsoft Office under the GPL in 2003. Answer B, Microsoft will release the Windows source code under the BSD license in 2004. All right. All right. Yeah. BSD. Go BSD. I'm a big free BSD myself. Answer C, Microsoft has little choice but released Palladium as open source because the hauling spill requires it. Yeah. Yeah. All right. Answer C, S28 requires that, and I quote, the security system standards shall ensure that any software proportion of such standards is based on open source code. So maybe we'll have to wait for NT under the GPL a little longer. Use of KPMs is voluntary. You'll hear that all over the place. One thing that Stuart Orkin, security officer from Microsoft will guarantee is Palladium will be off by default. Absolutely true. You don't need to run it. You don't need to boot your computer. Using gasoline, using gasoline, that car is an opt-in technology. What I found is a rare piece of history. It's a wood gas carburetor. After Germany and World War II had been covered from its oil reserves, they mounted these wood, basically it's like a big oven, big stove that gets fired from below. You put wood in it. If heated dry, it generates flammable gas that you can then feed into your car. You don't get much performance out of the car, but it will move the car forward. If that's all the functionality you want out of your computer, that's absolutely correct. You will not need to use Palladiums. It's totally voluntary. Absolutely. No doubt about it. Now, some people say, lucky an alarmist, nobody would ever do such an evil thing. No operating system vendor would ever dare to block undesirable applications from running on a computer. Well, let's ask Microsoft. Microsoft's Windows media players and use a licensing agreement. Microsoft may provide security-related updates to the operating system components that will be automatically downloaded onto your computer. These security-related updates may disable your ability to copy and or play secure content and use other software on your computer. It's in the end-use licensing agreement right now. So would the disabled applications running on your computer, once they can, I think some might say they will. Microsoft says they will. Let's take a quick look at the digital holes in phase one. The op-codes are on plaintext on the bus, meaning you can mark them off. The solution is bleeding obvious. In phase two, the encrypted CPU instructions will not be decrypted until they hit the CPU, in which now you get a decap, now you get a decap of P5, you get to work down your layers. It gets nasty. It gets hideously expensive. Users can select non-TCP-approved operating system for minimum functionality. Obvious solution, prevent the non-approved OS from accessing CPU supervisor mode. Jeffrey Strongly with AMD said who is very much in on this, there will be new modes and new instructions, a whole new class of microprocessors not differentiated by speed but by security. They're adding a mode to the CPU. This new hardware architecture involves some changes to CPUs which are significant from a functional perspective, said Mario Juarez with Microsoft whom we quoted earlier. Yes, it will be significant from a functional perspective. If you don't have one of the certificates, you will have no functionality. Well, you can always run a real mode. Nothing will prevent you from running the CPU in real mode. You're certainly welcome to do that. The TCP may not succeed. In fact, I believe it will not succeed because there are people like a lot of Ross Anderson's writing effects and people like me giving talks. But it might succeed. If it will succeed, process ID, let's take a look at that. Big strategic mistake. Intel went alone. AMD saw an ECPR victory. Publicer rejected it. There was another reason it wouldn't actually have done what they wanted to do. TCP might process ID just wasn't aggressive enough. And the online privacy groups were completely ignored. Intel thought they could just steam over everybody. It blew over their faces. They've learned now that they're coming around for round two. They are a bit more savvy. They've learned their lessons. They've built a broad consensus Intel, AMD, Motorola, all the BIOS vendors that have ever mattered. The system vendors and the application vendors that matter are all on board. That makes it a lot easier to pull things off. There's a two-pronged technical and legal initiatives. As I mentioned, the TCPA, Palladium, et cetera, is on one side. Senator Hollings and his bills are on the other side. There's, in fact, there's a companion bill in the house. And the online privacy groups, at least according to the TCPA, were briefed early. Which platforms will be enabled by TCP? I took this from the website, the banner that is. If you look at the image, you will see laptops, servers, PDAs and mobile phones. Mobile phones are actually the next big thing for the TCPA. Which is why Motorola is involved so actively. In future versions, games, digital content, streaming MP3, all this stuff will be streamed under the device, under 3G. They then want the user to be able to copy their music off the handheld device, to copy the games off the handheld device, hence when you TCP on the mobile. What will be the end result? According to John Manfredelli, the general manager for the Microsoft Polydian Business Unit, the end result is a system with security similar to a closed architecture system, but with the flexibility of the open windows platform. I read this and I was wondering, what is he trying to say? And I think what he's trying to say is that you will have about as much control over your PC, be that operating system, be that applications, be that content as if you were running on a timeshare system from behind a dumb terminal. But they will make you maintain the system by all the equipment. So pay for the equipment, pay for all the maintenance without them actually being required to provide all the infrastructure that a timeshare system would. In some sense, Polydian and the TCP are the offline version of .NET. All the security benefits for not allowing the user access to their own applications and their own platforms without any of the costs. At this time, I would like to run through this as quickly as possible, but we're low on time here. I'm willing to take any question you have or at least try to take any question you have. If you email me, I'm not reading email during DEF CON. I know it's a hacker con, but folks there better things to do. At DEF CON, I'll answer later or talk to me during the con. Find me somewhere. There's some questions. I see one right here. Yes, sir. Quick, come up. I can't hear you. Oh, what are they going to do against the terrorists smashing the key servers? I think the belief is that the key servers will be replicated. The system that the key servers will be replicated that the network is sufficiently rigid at this point in time to not be subjected to terrorist attack. What are they doing currently for you being not being able to install Microsoft Office unless you contact back to Microsoft? The answer is during 911, people couldn't install an office, but terrorists, whether or not you can use your software is another concern to Microsoft's business model. There was somebody on the left. Yes. Come up a little bit if you have a question. I can't hear you if you're further back. What happens if the root key becomes compromised? I don't know because I don't even know who holds the root key. Presumably the same thing that would happen if a major CA root key becomes compromised. The odds of that happening are extremely low. If you look at various science bunkers, if you look at some of the other major commercial CA's, the security measurements they put in place, the chance of compromise is low. I don't know what the strategy is. Yes, sir. Where is Apple Computer? Apple Computer is watching. Apple Computer is not, to my knowledge, on board, but Motorola is. And when Microsoft decides someday that Microsoft Office requires these features in the CPU or it will not display documents generated on the Windows platform, which they intend to. And Microsoft will simply go to Apple and says, Apple, you have two very simple choices. You can implement DRM by using Motorola's CPUs with DRM capabilities built in or we will no longer release Office on the Mac OS X platform. I don't think Apple can afford that. Come up if you have any questions. I can't hear you if you have more than a few lines. Rolls down, yes. That of course is a question only to be left for the courts during litigation after the laws have been built. My understanding is, certainly from reading the Hollings bill, and I'm not an attorney, I'll defer this to some of the attorneys in the audience, that the Hollings bill is by no means just limited general purpose computers such as motherboards, but essentially covers any of our digital devices that the content holders feel may infringe on the copyright. Yes, sir. Yes, I should mention that my apologies. The Hollings bill does not mention TCPA by name anywhere. In fact, it makes absolutely no reference to any technology, any specific technology by name. It just happens to describe a capability that would need to be implemented that as it so happens simultaneously has become available out of the marketplace. What a marvelous coincidence. I beg your pardon. How can you fight this? You can fight this by speaking up. You can fight this by educating people about some of the negative... You will hear a lot about the positive consequences of TCPA and Palladium. You will hear how it will protect your computer from viruses and worms and all these other promises. At that time, I think it's helpful to point out what some of the potential negative consequences are. Perhaps you can come up with a solution that will give us at least much of the positive without enabling all these negatives because nobody is standing up there as far as the vendors are concerned. We plan on revoking your documents. No, I do have to read through the lines as to what's going on. So, point it out. My slides... There is a version on the CD that is a couple of weeks out of date. The slides will show up on Cypherpunk's Tonga as soon as I've had a chance to upload them and unfortunately I had a hardware failure a few days ago that I'm still recovering from. But it will be on Cypherpunk's Tonga if not today, if not tomorrow and certainly by next week. Yes. Epic and EFF? Where are they in terms of lobbying the U.S. government? I don't presume to speak for the EFF or Epic, but it's my understanding that they're currently investigating Palladium and TCPA to determine what their position should be. Yes. From an antitrust, and again I'm not an attorney, antitrust typically only applies if you have some... It's typically only successful if you don't have a broad ability by the application vendors to join. Anybody can join TCPA. If you're a legitimate application vendor you can get the application signed and the DMCA specifically says that you should not be able to read somebody else's digital rights management wrapped file formats, which I believe, but again, I'm not an attorney, essentially explicitly exempted from antitrust. Let's take somebody from over there. Yes, ma'am. Yes, I probably should point this out. The new note that will be added will be it will effectively play the role of what today is done by ring zero, but it will really be a ring minus one. So your existing ring zero code will run in ring zero being number-wise or thinking it's in ring zero. However, above it is a ring minus one that determines which memory space your ring zero code can sub-allocate to your ring one, two, and three code. So from a compatibility perspective, you will still be able to run all the existing operating systems and all the existing applications. They will not be able to get any of the protected storage or any of the other information that's protected by the TPM. From your OS perspective, what's happening above it is totally transparent. Yes. Oh, Sony is a special case. Sony, of course, is both... Microsoft is somewhat of a small content provider. They have Microsoft and we've seen a few. But they're not so much in the content game. Sony is both heavily in the content and heavily in the computer game. What... If you look at the membership lists of the various groups fighting for legal protection of their copyrighted work by means of deconian technical means, you will find that there's very little overlap. It appears that the vendors made a decision to choose one of the four to fight in. Be that either the content provider four or the technologist's four. Sony is very heavily involved in the content technology for us. Not so much in the content for us. It appears they've chosen to fight the fight in the content for us rather than the technology for us. For the long-winded answer. Yes. Again, that's the question for your attorney only after the laws have been passed by Congress and signed by the president. And even then the question probably can't be answered until there's been some case law. I'm running over time here. I'll take one more question after yours. The answer is I don't know if this is the answer. I choose to believe that it's not a digital rights management that digital rights management the requirement does not come into play unless there's actually some digital rights management that can take place. So for say if you have a new file format in which none of the content providers publish their digitally right-managed content then you're probably okay. If you have no purpose computing platform things might get dicey. One more question. Let's take some in the back but you have to step up because I will not be able to hear from where you stand. That's an excellent question. Most of the average users couldn't care less as to whether they can compile their own operating systems or their own applications. In fact, most average users probably would happily entrust the security of their computer to the FBI and the Office of Homeland Security and many average users actually probably would support a mandate for the Office of Homeland Security to remotely administer computers for security. How do you address it by users like content? That's a good example. Users like content even non-hackers, non-sophisticated computer users have been bitten at one point by the Napster bug and it did a marvelous job in bringing to the user the promise of getting content for free with the user interface they could use and having this become addicted one can perhaps educate them that the supply is about to be cut off. Thanks for your time. I don't want to take too much time with the next speaker.