----------------------------------------------------------------------
Boing Boing Blog
----------------------------------------------------------------------
|
| 1. |
Owner Override: a proposal to fix Trusted Computing. My collegaue Seth Schoen has written an audacious article for Linux Journal in which he calls on the architects of "Trusted Computing" [TCPA|TCG|Palladium|NGSCB] systems -- which ostensibly solve some of the Internet's security problems by adding cryptographicallly secured tamper-detection to the hardware of the commodity PC -- to add a feature that he calls "Owner Override."
Trusted Computing proposals have drawn fire as tools for lock-in and other anti-competitive strategies; Seth's Owner Override allows the owner of a computer to override the Trusted Computing security when it is in her own interest.
For example, you could use Owner Override to tell a "lie" to your bank, which insists that you use Microsoft Internet Explorer to access its website, and convince the bank's webserver that your copy of Opera or Safari or Mozilla is really Internet Explorer. This is possible (even routine) today, but in a Trusted Computing universe, it will be impossible, modulo Owner Override.
Fortunately, this problem is fixable. TCG should empower computer owners to override attestations deliberately to defeat policies of which they disapprove. Giving the owner this choice preserves an essential part of the status quo: third parties can never know for sure what's running on your PC. TCG already defines a platform owner concept. The TCG specification also should provide for a facility by which the platform owner, when physically present, can force the TPM chip to generate an attestation as if the Platform Configuration Registers (PCRs) contained values of the owner's choice instead of their actual values.
APIs and a clear user interface for the override mechanism could be specified by an appropriate TCG committee. Only the platform owner should be able to do this; whenever a machine provides an inaccurate attestation, it does so for what its owner considered an appropriate reason. This change would do nothing to undermine the basic security benefits of the TCPA hardware, including those outlined in the Safford article; you still could tell whether your computer had been altered.
Link
(via Vitanuova) |
| 2. |
Censorware thinks blogs are unsavory. SurfControl, a censorware vendor, has roped off blogs from some of its customers' machines. That means that if your workplace, library or school relies on SurfControl to keep naughty pages away from its computers, you can't get at blogs, either.
Now that the Supreme Court has upheld the federal mandate requiring libraries to censor their terminals, companies like SurfControl control more than surfing: they control basic access to information.
Link
(via Dan Gillmor) |
----------------------------------------------------------------------
CNET News.com - Front Door
----------------------------------------------------------------------
|
| 3. |
Linux leaders offer education discounts. Red Hat and SuSE Linux launch new discounts to attract students and educational institutions, a strategically important customer set for technology companies. |
----------------------------------------------------------------------
Slashdot
----------------------------------------------------------------------
|
| 4. |
E-Voting Expert Testifies |
----------------------------------------------------------------------
SecurityFocus
----------------------------------------------------------------------
|
| 5. |
BugTraq: [Exploit]: Microsoft FPSE fp30reg.dll Overflow Remote Exploit (MS03-051). Sender: Adik [netninja at hotmail dot kg] |
| 6. |
BugTraq: idsearch.com and googleMS.DLL. Sender: trappers [trappers at mail15 dot com] |
| 7. |
BugTraq: UnAce 2.20 Exploitable Stack-Based Overflow (exploit code). Sender: [Li0n7 at voila dot fr] |
| 8. |
Vulnerabilities: Cerberus FTP Server Unspecified Buffer Overflow Vulnerability. Cerberus FTP Server is an FTP server designed to provide powerful, multithreaded FTP server performance for a desktop user.
A vulnerability has been reported to exist in... |
| 9. |
Vulnerabilities: SCO UnixWare/Open UNIX Insecure Handling Of ProcFS Vulnerability. procfs is a virtual file system, it is not associated with a block device but rather exists in memory. The files in the procfs provide for access to data from the kernel.... |
| 10. |
Vulnerabilities: KDE KDM PAM Module PAM_SetCred Privilege Escalation Vulnerability. KDM is the KDE Display Manager, a component of the KDE Desktop Environment. It is available for Linux/Unix operating systems. KDM provides a graphical login interface f... |
Saturday, November 15, 2003
Home robots were the jet-pack future's sweetest lie: personal assistants working tirelessly and without complaint -- companions, servants and pets. They would be nimble and able, and computers would be blinking omniscient behemoths.
I love coming home, firing up my mailer and finding a new Roger Wood clock in my in-box.
