Trusted computing 'can't be trusted'

NEWS Cryptographers and security firms took opposite sides over the potential privacy dangers of trusted computing, an initiative to use encryption to secure information from hackers and, in some cases, the PC's user. On Wednesday, three companies that sell products and services aimed at securing corporate computers and data told attendees at the RSA Conference 2003 in San Francisco that trusted computers would help businesses secure their systems. However, the praise came two days after well-known cryptographers warned an audience that trusted computing could put the keys to their information in someone else's hands. "This key-based infrastructure leads to market dominance and lock-out and allows others to treat you computer as theirs," said Whitfield Diffie, a top encryption expert and chief security officer for Sun Microsystems. The lesson: "Hold the keys to your own computer." Trusted computers are PCs, servers and consumer devices that can secure specific data using encryption. The Trusted Computing Group was formed last week by Advanced Micro Devices, Hewlett-Packard, IBM, Intel and Microsoft to create specifications for such systems and promote the adoption of trusted platforms. The group has pushed such systems as measures that should make it harder for viruses and hackers to take control of systems and cause damage to critical files. Even secure companies expose themselves to attack when a customer or supplier connects to their network, said John Muir, a partner with information technology security consultancy Trusted Strategies, who moderated a panel on trusted computing at the conference. "Even if we have done everything we should be doing, we can still be damaged by connecting to PCs that don't have protections," he said. Trusted computers can help ameliorate the problem by walling off critical data from attacks, he added. However, critics warn that the technology can also allow software makers and service providers to take control of how their applications run on a person's computer. Such technology could make the legal copying of music and files illegal, make it more difficult for one application to read another's data, and enforce licensing agreements that might not hold up in court. Ronald Rivest, a computer science professor at Massachusetts Institute of Technology, warned that, with industry directing the development of the technology, citizens should watch closely where the companies take trusted computing. Rivest is one of the three creators of the RSA encryption technology; he's the R in RSA. "We should be paying close attention to this (trusted computing) and make sure it is along the lines of what we want," he said. "Privacy tends to go down in inverse to the number of transistors in the world," he told attendees. Others have made similar statements, particularly in regards to a feature of Microsoft's version of trusted computing, formerly known as Palladium but now dubbed the "next-generation secure computing base." The feature, remote attestation, allows an application running on a computer to phone home and check that it's current status, or integrity, can be verified. However, such concerns are still premature, said Kurt Lennartsson, senior vice president of PointSec and a panelist. As of yet, very little information has been released on how such a scheme will work. "I think the privacy concerns will be addressed," he said. "The market does a great job in doing that." Robert Lemos writes for News.com