www/server/staging you-the-problem-tpm2-solves....

[Dora Scilipoti]

CVSROOT:        /web/www
Module name:    www
Changes by:     Dora Scilipoti <dora>   22/10/09 05:21:53

Added files:
        server/staging : you-the-problem-tpm2-solves.html 

Log message:
        Article by Chao-Kuei Hung (RT #1876123).

CVSWeb URLs:
http://web.cvs.savannah.gnu.org/viewcvs/www/server/staging/you-the-problem-tpm2-solves.html?cvsroot=www&rev=1.1

Patches:
Index: you-the-problem-tpm2-solves.html
===================================================================
RCS file: you-the-problem-tpm2-solves.html
diff -N you-the-problem-tpm2-solves.html
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ you-the-problem-tpm2-solves.html    9 Oct 2022 09:21:51 -0000       1.1
@@ -0,0 +1,256 @@
+<!--#include virtual="/server/header.html" -->
+<!-- Parent-Version: 1.97  -->
+<!-- This page is derived from /server/standards/boilerplate.html -->
+<title>You, the Problem TPM2 Solves
+- GNU Project - Free Software Foundation</title>
+<!--#include virtual="/server/gnun/initial-translations-list.html" -->
+<!--#include virtual="/server/banner.html" -->
+<div class="article reduced-width">
+<h2>You, the Problem TPM2 Solves</h2>
+
+<address class="byline">by Chao-Kuei Hung<a
+id="hung-rev" href="#hung"><sup>[*]</sup></a></address>
+
+<h3>1. Trust: to Give or to Earn?</h3>
+
+<p>Microsoft wants you to believe that you can give trust to TPM2 for
+better security.  TPM2 is made a mandatory prerequisite, not an option
+for Windows 11.  That does not square with how we understand
+&ldquo;trust&rdquo; to work.  In truth, TPM2 is not about enhancing
+the security of the users.  It is about solving the problem of the
+untrustworthy computer users in areas such as 
+<a href="https://drm.info/what-is-drm.en.html";>Digital Restrictions
+Management</a>, <a href="https://news.ycombinator.com/item?id=25336063";>
+game anti-cheating</a>, and 
+<a 
href="https://www.forbes.com/sites/seanlawson/2020/04/24/are-schools-forcing-students-to-install-spyware-that-invades-their-privacy-as-a-result-of-the-coronavirus-lockdown/";>exam
 proctoring</a>.  
+All these applications have failed so far because users have total 
+control over their physical properties, the computers.  That control 
+allows them to run DRM-stripping software on video/audio/
+<a href="https://github.com/nedlir/OfficerBreaker";>text</a> files, 
+plugins to cheat in games, and video intercepting software to cheat in 
+the exam, among many possibilities.</p>
+
+<p>To discipline the users against their possible ill wills, such
+software has to do way more than minding their own businesses.  They
+have to take the highest level of operating system privilege and
+prevent users from switching to other applications or even running, in
+the background, any potentially cheating-aiding software such as
+audio/video recorder.  That's why these classes of software all behave
+exactly like rootkit malware.  Microsoft has long been consistent in its 
+<a href="https://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html";>
+complicit approval</a> of Sony's rootkit and its insistence on content
+protection since <a 
href="https://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html";>
+the miserable failure that was Vista</a>.  With the help of TPM2 and the 
+assurance of mathematics, however, Microsoft can finally enforce it.  
+You have to earn their trust by letting TPM2 remotely attest to
+Microsoft and other software vendors about who you really are, and
+&ldquo;swear&rdquo; in cryptographic terms that you are not running
+anything against their software.</p>
+
+<h3>2. The biometrics of CPUs</h3>
+
+<p><a 
href="https://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html";>
+Fingerprints are usernames, not passwords</a>.  They facilitate 
+surveillance from governments or corporations over individuals way 
+better than they help individuals protect secrets and privacy.  For 
+example, it is encryption passwords (and the underlying mathematics), 
+not fingerprints, that can protect the secrets of a temporarily
+unconscious or even a deceased person.  In general biometrics are
+suitable for surveillance and not suitable for computer security
+because of their uniqueness, the difficulty for the owner to forge, and 
+the difficulty for the owner to refuse to reveal.  (Think of the 
+<a 
href="https://apnews.com/article/china-technology-beijing-business-international-news-bf75dd1c26c947b7826d270a16e2658a";>
+gait analysis technology</a> so well developed in China.)</p>
+
+<p>The public portions of the endorsement key (EK), Attestation
+Identity Key (AIK), and other keys in a TPM2 chip have properties
+similar to the biometrics of a person.  It is unique just like the
+serial number of the engine in a car, and the manufacturers keep track
+of all those numbers in their products.  With a physically carved
+serial number, it is easy for the user to share with his friends in a
+fake report in case the remote corporate lords demand the knowledge or
+the photo of that number.  In the TPM2 situation, however, knowledge
+of the public keys alone is not sufficient to carry out the
+attestations.  Cryptographic properties ensure that it is impossible
+for the user to attest without the physical presence of the CPU since
+the private part of those keys are sealed tight in the chip, protected
+even (mainly) against the computer owner.  This renders the old trick
+of sharing Netflix password, for example, invalid.</p>
+
+<p>For security experts or computer owners who disapprove of rootkit
+malware taking control of their computers, virtual machines are
+indispensable.  TPM2 will render VM technologies useless in 
+<a href="https://thomwiggers.nl/post/proctorio/";>their fight</a>
+against those classes of rootkit malware coming from the corporations. 
+The identity under which most VM's attest to the remote lords will 
+necessarily be different from any manufacturer-certified identities and 
+they will most likely be crippled or even outright banned by the Windows 
+OS.</p>
+
+<h3>3. The train of prison</h3>
+
+<p>Suppose an engineer has to design a luxurious prison made of a train.  
+It is not enough to ensure that each railcar is locked.  One also has to 
+ensure that there is no exit in each gangway between adjacent railcars.  
+A DRM-enforcing computer is a luxurious prison made of a train.  TPM2 is 
+the locomotive and provides the root of trust, followed by the UEFI 
+firmware, followed by the operating system, possibly followed by one or 
+more levels of virtual machines, and finally followed by the DRM 
+application.  In addition, there may be several intervening railcars 
+which represent the various trustworthy device drivers and/or services 
+started by the host and each level of guest operating system.</p>
+
+<p>If the user somehow inserts a virtual machine or service of her own
+design somewhere along the way, she may then escape from the prison even 
+if all the other railcars are trustworthy.  The platform configuration 
+registers PCR in a TPM2 chip are designed in such a curious way as to 
+allow only resetting and extending values but not storing arbitrary 
+values.  That's a cryptographic way of ensuring the gangways are sealed 
+tightly.</p>
+
+<h3>4. Closing in the Dragnet</h3>
+
+<p>If the dragnet is big enough, few fish swimming inside it will feel
+restricted.  If there are several holes on the dragnet, fish may be
+persuaded that what surrounds them is not a dragnet.  If the holes grow 
+smaller slowly enough, hardly any fish will care about it.  When the 
+main exit of the dragnet is taken care of, the small holes can be sealed 
+and all fish can finally be trusted to behave inside the dragnet.  The 
+following is a list of things likely to happen as TPM2 becomes pervasive.  
+The less controversial measures and those affecting only a small 
+population are more likely to happen earlier.</p>
+
+<ul>
+<li>Free firmware such as libreboot is not trusted.</li>
+<li>VM hypervisors are trusted only if their emulated TPM2 bear certain 
+public keys.</li>
+<li>Only the Microsoft version, possibly plus a small number of major
+distributions, of the GNU/Linux operating system are trusted.</li>
+<li>Applications are trusted only if they come from the Windows 
+Store.</li>
+<li>Applications are de-listed from the Windows Store if they are found 
+to circumvent DRM, etc.</li>
+<li>Software protecting user privacy and freedom against Microsoft
+telemetry and control are de-listed from the Windows Store.</li>
+<li>Software competing with Microsoft products are de-listed from the
+Windows store.</li>
+<li><a href="https://web2.qatar.cmu.edu/cs/15349/dl/DRM-TC.pdf";> Ever
+fewer</a> windows configuration settings remain modifiable if the
+system is to remain trusted.  Container technology might slightly
+mitigate the problem.</li>
+</ul>
+
+<p>Meanwhile, applications in such areas as DRM, game-anticheating, 
+exam proctoring, and chat message revocation will be among the first to 
+enforce remote attestation.  For it is relatively easy for the corporate 
+lords to persuade the population to give up their control of their own 
+physical properties in exchange for the delusion of 
+&ldquo;fairness&rdquo; (among the peasants) in these application 
+areas.</p>
+
+<p>In each of the above, Microsoft may leave alone the older versions
+of the mentioned software/firmware so as to minimize commotion and
+resistance.  Time will take care of the small group of old-school
+die-hard population.  Eventually Microsoft and its corporate partners
+will have total remote control over computers of the entire population, 
+who will finally earn the lords' trust.</p>
+
+<p class="center">* * * * *</p>
+
+<p>To escape from this dragnet, one can wean oneself from unnecessary
+cloud computing software starting today.  Gabriel Sieben 
+<a 
href="https://gabrielsieben.tech/2022/07/29/remote-assertion-is-coming-back-how-much-freedom-will-it-take/";>
+summarizes the situation</a> very well:</p>
+
+<blockquote>
+<p>Old copy protection systems tried to control what your PC could do,
+and were always defeated.  Remote attestation by itself permits your PC 
+to do almost anything you want, but ensures your PC can't talk to any 
+services requiring attestation if they don't like what your PC is doing 
+or not doing.</p>
+</blockquote>
+
+<p>Richard M. Stallman's warning about 
+<a href="/philosophy/who-does-that-server-really-serve.html">Service as 
+a Software Substitute</a> 10 years ago is refreshingly worth heeding 
+again today.  For communicating with friends and colleagues, 
+<a href="https://opensource.com/article/20/5/free-software-communication";>
+use a completely decentralized protocol or community-run service</a>.  
+There are, however, some cloud services (e.g. games) that many people
+find hard to resist.  It is therefore important to bring awareness and
+discussion of this issue to a wider population if we believe that
+physical property right should never be stolen by the
+&ldquo;intellectual property right&rdquo; propaganda.</p>
+
+<div class="infobox extra" role="complementary">
+<hr />
+<p><a id="hung" href="#hung-rev">[*]</a>Chao-Kuei Hung is a professor at
+the Chaoyang University of Technology and a member of the Software 
+Liberty Association, Taiwan.</p>
+</div>
+
+</div><!-- for class="article reduced-width" -->
+</div><!-- for id="content", starts in the include above -->
+<!--#include virtual="/server/footer.html" -->
+<div id="footer" role="contentinfo">
+<div class="unprintable">
+
+<p>Please send general FSF &amp; GNU inquiries to
+<a href="mailto:gnu@gnu.org";>&lt;gnu@gnu.org&gt;</a>.
+There are also <a href="/contact/">other ways to contact</a>
+the FSF.  Broken links and other corrections or suggestions can be sent
+to <a href="mailto:webmasters@gnu.org";>&lt;webmasters@gnu.org&gt;</a>.</p>
+
+<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
+        replace it with the translation of these two:
+
+        We work hard and do our best to provide accurate, good quality
+        translations.  However, we are not exempt from imperfection.
+        Please send your comments and general suggestions in this regard
+        to <a href="mailto:web-translators@gnu.org";>
+        &lt;web-translators@gnu.org&gt;</a>.</p>
+
+        <p>For information on coordinating and contributing translations of
+        our web pages, see <a
+        href="/server/standards/README.translations.html">Translations
+        README</a>. -->
+Please see the <a
+href="/server/standards/README.translations.html">Translations
+README</a> for information on coordinating and contributing translations
+of this article.</p>
+</div>
+
+<!-- Regarding copyright, in general, standalone pages (as opposed to
+     files generated as part of manuals) on the GNU web server should
+     be under CC BY-ND 4.0.  Please do NOT change or remove this
+     without talking with the webmasters or licensing team first.
+     Please make sure the copyright date is consistent with the
+     document.  For web pages, it is ok to list just the latest year the
+     document was modified, or published.
+     
+     If you wish to list earlier years, that is ok too.
+     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
+     years, as long as each year in the range is in fact a copyrightable
+     year, i.e., a year in which the document was published (including
+     being publicly visible on the web or in a revision control system).
+     
+     There is more detail about copyright years in the GNU Maintainers
+     Information document, www.gnu.org/prep/maintain. -->
+
+<p>Copyright &copy; 2022 Chao-Kuei Hung</p>
+
+<p>This page is licensed under a <a rel="license"
+href="http://creativecommons.org/licenses/by-nd/4.0/";>Creative
+Commons Attribution-NoDerivatives 4.0 International License</a>.</p>
+
+<!--#include virtual="/server/bottom-notes.html" -->
+
+<p class="unprintable">Updated:
+<!-- timestamp start -->
+$Date: 2022/10/09 09:21:51 $
+<!-- timestamp end -->
+</p>
+</div>
+</div><!-- for class="inner", starts in the banner include -->
+</body>
+</html>