Against TCPA

Week of November 17, 2004

At least two thirds of our miseries spring from human stupidity.
 - Aldous Huxley

It's a good thing Bill Gates is a nihilist. If the Holiday Magic wanker actually believed in anything other than Playboy, pretzels, poker, pizza, and beer - and of course raw power - we'd be in a lot of trouble. But Bill was raised great by his sod of a mamma, so we can relax.

The Doctor Evil and Fat Bastard (Steve Ballmer) of computing are however still a force to reckon with, and their megalomania is not innocuous, something to shrug off. The Dynamic Duo of Duplicity still have horrible things in store for civilisation if their plans work out.

What they have going for them - what is working against civilisation - is that ordinary schmucks don't take computers seriously. Grannie still thinks it's novel to connect to her sister across the country with AOL Instant Messenger and 'have a verbal chat electronically'.

Although people spend a lot of time choosing an auto, computers are still junk items where the come ons of Dell and Gateway and other junkmeisters with their misleading low prices are all that matters. Buy a piece of junk; it comes with Windows; that's fine. Computers are still not part of the 'accepted' collection of household appliances.

But computers already rule the world, rule all other industries and walks of life like no other force, no other technology. And this is what Bill Gates and Steve Ballmer know, and this is where their advantage lies, and they know it.

Gates wasn't always the demon he is today. Once upon a time he was firmly convinced his niche was providing computer language compilers and interpreters for the burgeoning home computing market. Things changed rapidly however, and Gates and Ballmer didn't miss a shot.

The TCPA is the Trusted Computing Platform Alliance. It's originally the idea of Intel, but as with all things where Microsoft can get involved, it gradually turned into their baby. The TCPA was formally founded in 1999 by Compaq, HP, Intel, and Microsoft.

The TCPA goes today under a wide variety of names, and the formal name of the organisation has been changed as well. Observers agree that this is deliberate policy to confuse the public so that the dangers are not as readily apparent.

Intel started the ball rolling. Kings of the hill, they realised that to remain prosperous they would have to continue to increase the size of their already saturated market. As entertainment was already predicted to become the next killer app, the TCPA's mother was singled out and it needed only to be invented.

Microsoft got in the game (and today control it) out of a desire to bring the killer app within their empire. If the TCPA achieve their goals, software piracy will be cut dramatically; more importantly, Microsoft can enforce a 'lock in' which makes it more costly - and more difficult - to switch away from Microsoft products and choose, for example, Apple or open source alternatives.

Microsoft are namely aware of the general consensus amongst economists that an incumbent in a maturing market such as MS Office's can only grow faster than the market itself if a 'lock in' is used successfully.

As Doctor Evil himself said:

'We came at this thinking about music, but then we realised that e-mail and documents were far more interesting domains.'

The idea of being able to boot a computer into a 'trusted' state was implicit in the first IBM PC where there was only ROM and no hard drive to harbour malware. The idea was then refined at the University of Pennsylvania in an IEEE paper from 1997 and patented in the US on 6 February 2001.

Not surprisingly, Microsoft have applied for patents of their own.

The Fritz Chip

The key to this scheme is something known as the 'Fritz' chip: a smartcard chip or dongle soldered to the computer's motherboard. The current version has five components.

• The Fritz chip.
• A 'curtained memory' feature in the CPU.
• A security kernel in the OS (the 'Nexus' in Gatesspeak).
• A security kernel in each application (the 'NCA' in Gatesspeak).
• A back-end infrastructure of online security servers.

It's the latter - the online security servers - that tie the whole thing together. They're run by the hardware vendors (Intel) and the software vendors (Microsoft).

The current version of Fritz uses a passive monitoring component that stores a 'key code' (hash) of the computer state on startup which is calculated using details of your installed hardware and software (a bit like MPA - Microsoft Product Activation as used in Windows XP).

If your computer boots into an approved state, Fritz makes cryptographic keys available to the OS which are needed to access not only your applications but even your data - your personal files.

These files can include not only media files but Microsoft Office files: the presence of Open Office or other alternatives could lead to your personal files remaining inaccessible.

[Note that this represents a quantum leap for Microsoft in their 'lock in' technology: up to now, vendors were free to decrypt the at times difficult file formats used by MS Office products, and alternatives such as Open Office and Star Office were viable; with this new scheme, they simply won't work - your computer might not only shut down either: Fritz can literally be programmed to destroy your files - or even your computer itself.]

Traitor Tracing

But all good (and bad) technologies (and especially Microsoft's) are sooner or later hacked - which is where the next lovely invention, 'traitor tracing', comes into play: if someone attempts to play a stolen media file, criminal prosecution will result; should that someone have received stolen media and / or hacked computer components from someone else, the technology will be able to follow the trail back to this horrid criminal who will then meet the same fate.

A naive police force gets an order against child porn files being passed around the Internet - all PCs in the TCPA scheme will delete and report the spread of the documents; then you'll have a libel or copyright case with a civil court order against an offending document; a dictator's secret police could punish dissidents by deleting every article ever written by them and reporting people who downloaded the materials; once police, attorneys, and judges realise the potential, the initial trickle will become a flood of an entirely new reality.

It will be a Brave New World.

What Can I Do?

Above all, you can - finally - start boycotting Microsoft products. Don't help to give Microsoft the financial standing to make their evil fantasies your nightmare reality. Their products are so crappy anyhow so you'll be really doing yourself the favour you should have done years ago.

Read up more on the TCPA and spread the word. The best resource is Ross Anderson, security guru at the Computer Laboratory of the University of Cambridge.

Link: 'Trusted Computing' Frequently Asked Questions by Ross Anderson

The fight against TCPA is also taking place in an international arena. Visit their website and learn as much as you can - and again: 'spread the word', and put up one of their banners if you have a website of your own.

Link: Against TCPA Website

Read Ross Anderson's paper on the EU IPR Enforcement Directive at the site of the Foundation For Information Policy Research - Microsoft have their hands deeply into this pie too and must be stopped even here.

Link: FIPR: A Threat to Competition and to Liberty by Ross Anderson

Contact your legislators and make them understand you will not support their rubber stamping the TCPA, and consider contacting your hardware and software vendors and giving them a piece of your mind as well.

Following are the companies who have signed onto the TCPA.

123ID Inc, 360 Degree Web, 3Com Corp, Access360, Acer Inc, ACEtek Research, ActivCard Inc, Adhaero Technologies, Adobe Systems Inc, Advanced Micro Devices Inc aka AMD, Aesec Corporation, Aladdin Knowledge Systems, Algorithmic Research Ltd, ALi Corporation, American Express Company, American Megatrends Inc, Argus Security Corporation, Atmel Corporation, ATMEL Rousset, AuthenTec Inc, Authentium Inc, Autotrol Uruguaya SA, Baltimore Technologies Ltd, BERGDATA AG, BindView Development, Blueice Research, Broadcom Corporation, BURNEY, Carraig Ltd, Caveo Technology LLC, Cavium Networks, CE-Infosys Pte Ltd, Cerberus Information Security Limited, Certicom Corp, Check Point Software Technologies Ltd, CHECKFLOW, Chrysalis-ITS, Cimarron Systems Incorporated, CipherKey Exchange Corporation, Cloakware Corporation, Communication Intelligence Corporation, Comodo Research Lab LTD, Compagnie Européenne de Développement SA, Compal Electronics Inc, Compaq Computer Corporation, Computer Associates International Inc, Computer Elektronik Infosys GmbH, Crypto AG, Cygate ESM Oy, CYLINK Corporation, Dell Computer Corporation, DICA Technologies Inc, DigiGAN Inc, Digital Innotech Co, Digital Persona Inc, Discretix Technologies Ltd, e-PCguardcom Inc, eCryp Inc, Eltan Comm BV, Enova Technology Corporation, Ensure Technologies, Entrust Technologies Ltd, ERACOM Pty Ltd, Ethentica, Excalibur Solutions Inc, FARGOS Development LLC, FINGLOQ AB, First Access Inc, Fortress Technologies Inc, Founder Technology Computer System CO LTD, Fujitsu Limited, Fujitsu-Siemens-Computers, Gateway Inc, Gemplus Corporation, GLOBEtrotter Software, Hewlett-Packard Company, Hitachi Ltd PC Div, Humans and Machines, HyperSecur Corporation, I/O Software Inc, ICSAnet, ID Tech, IdentAlink Limited, Infineon Technologies Corporation, Infineon Technologies Asia Pacific Pte Ltd, InfoCore Inc, Insyde Software Corp, Integrity Sciences Inc, Intel Corporation, Interlok Technologies LLC, International Business Machines Corporation aka IBM, International Service Consultants Ltd, Internet Dynamics Inc, Internet Security Systems, InterTrust Technologies, Iomega Corporation, IPTV Ltd, Kasten Chase Applied Research, Keycorp Ltd, Keyware Technologies Inc, Lanworks Technologies Co, Legend (SHENZHEN) R&D Center Legend Group Ltd, Lexign, Liquid Audio Inc, Litronic Inc, LOGISIL Consulting, M-Systems Flash Disk Pioneers, M3S Enterprises, Macrovision Corporation, Massive Media Group, Media DNA Incorporated, Medialogic Co Ltd, Miaxis Biometrics Co, Micron Electronics Inc, Microsoft Corporation, Mitac International Corporation, Mobile-Mind Inc, Motorola, National Semiconductor, nCipher Inc, NDS Limited, NEC Corporation, Net Nanny Software International, NetActive Inc, NetAtmosphere Inc, NetOctave Inc, NetSecure Software Canada, Network Associates Inc, New Trend Technology Inc, Novell Inc, nVidia, O2Micro, OSA Technologies, PC Guardian, Philips Semiconductors, Phoenix Technologies Ltd, Pijnenburg Custom Chips BV, Precision Digital Hardware, Pricewaterhouse Coopers, Prism Resources Inc, Pro-Team Computer Corp, Protect Data Security Inc, Rainbow Technologies Inc, Raytheon Company, Raz-Net Inc, Redstrike BV, RSA Security Inc, SafeNet Incorporated, SAFLINK Corporation, SAGEM MORPHO Inc, SAGRELTO Enterprises Inc, SAMSUNG ELECTRONICS CO LTD, Schlumberger Smart Cards, Science Applications International Co, Scienton Technologies Inc, SCM Microsystems, Sectra Communications AB, Securant Technologies, Secure Computing Corporation, Secure Systems Solutions, Siemens AG, Silicon Integrated Systems Corp aka SIS, Softex Inc, Sony Electronics Inc, Sospita ASA, SPYRUS Inc, SSH Communications Security Inc, Standard Microsystems Corporation, STMicroelectronics, Symantec Corporation, Symbol Technologies Inc, TCL Computer Technology Co LTD, Texar Software Corp, Thales e-Security Inc, TimeCertain LLC, Titan Systems Corporation, Toshiba Corporation, Trend Micro Inc, Tripwire Inc, Trispen Technologies, TruSec Solutions, Trustpoint Corporation, Tsinghua Tongfang Co LTD, TVN Entertainment Corporation, Ubizen, Utimaco Safeware AG, ValiCert Inc, VeraSafe Inc, Verasity Technologies, Veridicom Inc, Verisign Inc, VIA Technologies Inc, Vibren Technologies An NEC Company, Viewpoint Engineering, Village Inc, Voltaire Advanced Data Security Ltd, Wave Systems Corp, Wincor Nixdorf, WinMagic Inc, WinVista Corporation