<D <M <Y
Y> M> D>

When I last left you, I was off to a Dar Williams/String Cheese Incident concert in Berkeley with Sumana. This turned into a bit of an adventure when it was moved at the last minute from an outdoor venue to an indoor venue on account of fears of rain. (It didn't end up raining after all.)

Arriving a bit late, we heard the tail end of Dar's performance and found the crowd dominated by String Cheese fans, which we ourselves turned out not to be. The last couple of times I heard a Dar Williams concert, she was paired with another female singer-songwriter from a folk tradition (Noe Venable, who in turn was paired with fellow female singer-songerwriter Kris Delmhorst when I heard her again). But the String Cheese Incident is really extremely different musically, and I think promoters are taking a bigger gamble by linking them up.

Sumana and I got to hang out for a while, and I got to see her new place momentarily -- it turns out to be just downstairs from where Cristina and Michelle used to live. There is also a bar on Telegraph which serves good food and (oddly enough) a large line of alcoholic herbal teas. It's called the Bison Brewery, and we went there for dinner after we left the concert.

At the concert, I bought a copy of Dar's Out There Live album, which has live recordings of songs I'm already familiar with, but they're subtly different from the versions I know. There are changes in tempo or instrumental arrangement or (in what I think is only one case) a lyric. This makes me think of Nick's ridicule of musicians' attempts to revitalize old works by arranging them for a totally unexpected instrument. (I like that practice a lot better than Nick seems to, actually. One thing I still haven't gotten a sense of is how a choice of music instrument changes our experience of a melody. But it really can.)

That concert was Friday the 25th, if I remember correctly. On Tuesday the 29th, I went back to Berkeley to see the documentary N is a Number, about the life and work of the late Paul Erdös -- a really remarkable mathematician. Erdös's friend and fellow remarkable mathematician Ron Graham (a veritable master of the discrete) was there answering questions from the audience about Erdös and assorted topics. Erdös was funny in the movie, not to mention inspiringly dedicated to mathematics (and, like Borges's Funes, "memorious"). I need to go hear some lectures from some of our great living mathematicians. I remember missing Persi Diaconis on Riemann's zeta function (something I still fail to understand well, maybe because I never made it to complex analysis). These lectures are happening all the time, and even in the Bay Area it would be hard to go a month or even a week without some really remarkable mathematician sharing some really profound insight. But I'm out of the habit of going to hear it. I didn't even make it to any of the other films in the Cinemath series.

That makes me a bit depressed in general, to be reminded of all the wonderful opportunities out there which I haven't been taking advantage of. Aaron Swartz just complained about Chicago being boring (which I don't agree with -- Biella's there at the moment, so hang out with her and Chicago won't be boring!), but anyway San Francisco and everywhere else is interesting in proportion to the effort you put into taking advantage of it. I'm realizing that I haven't been making such a serious effort compared to what I could be doing -- seth-trips notwithstanding. (My recent trips to Portland and D.C. put me even more in mind of this; I've only been overseas once, but even the major cities of the U.S. call for a couple of lifetimes' worth of exploration. Amy was speculating about the proverb which claims that only boring people get bored -- there are corresponding proverbs which say that, if you're tired of <CITY>, you're tired of life.)

But, as I was saying, I got to see N is a Number, and ran into several people I knew -- Kragen, Beatrice, and Praveen, the LNX-BBC developer Curtis, and Rohit Khare, of FoRK fame, whom I hadn't met before. We went out to dinner and Rohit, a huge baseball fan, watched the final game of the World Series. (I think most of the rest of us were trying to ignore it; Kragen, in particular, positioned himself facing directly away from the television.)

Friday took me to D.C., where I visited Amy and hung out with lawyers. I continued to feel that D.C. looks a lot like Boston, except for the marble or faux-marble public buildings. I have a sense that it's difficult for me to believe in the reality of any major city I haven't either lived in or visited regularly. (Chicago was an exception. Elsewhere, though, I seem to visit a new city and say "Aha, this city looks like...", and supply the name of some other city I actually believe in.)

I also got to see my friend Cate from high school -- now well-established in the adult world. Wonderful! It's too bad I missed my reunion this year; I'd like to know what more of the people I knew in high school are up to. I guess there's no substitute for e-mailing them directly.

42,000 people marched against the war in San Francisco, and the protest in D.C. was described as the largest since the Vietnam War.

Riana's actual description of the contents of the gold room at Powell's is "literature that isn't taken seriously ... yet".

I still haven't written up notes from the second Microsoft meeting or from the TCPA or LaGrande meetings. (I'm sorry about that, because I know people want to read them.) But I did get interviewed for, and quoted in, a pretty good Associated Press story about trusted computing.

Seth Schoen, staff technologist at the Electronic Frontier Foundation, said incompatibility is the biggest threat posted by the trusted-computing initiatives.

"I don't think anyone can absolutely compel you to do anything in particular," he said. "What they can do is create an incompatibility or refuse to deal with you unless you meet a particular condition."

I tried to stress that nuance in the interview, and the interviewer reproduced it pretty accurately -- although it might be less significant than I've made it out to be (in the sense that the pressure to conform to a condition might be so strong that it would be difficult for many people to refuse).

I liked the AP story, though it's not technical. I gave a longer interview to Technology Review, which is doing a story which I hope is going to be a bit more technical.

I'm likely to start a new blog at EFF pretty soon containing my discussions of EFF-related issues and news items. (Once I do that, I'll link from here to what I write there, but probably move much of the actual writing to that new forum.)

My owner override idea was meant as a thought experiment to raise the question of whether trusted computing can be implemented in a way which makes it useful to allow you to trust your own computer and doesn't facilitate having your computer perform functions you don't want it to.

As security experts point out, "trust" has a different connotation in security than it does in everyday language. In Ross Anderson's FAQ:

Or take a civilian example: suppose you trust your doctor to keep your medical records private. This means that he has access to your records, so he could leak them to the press if he were careless or malicious. You don't trust me to keep your medical records, because I don't have them; regardless of whether I like you or hate you, I can't do anything to affect your policy that your medical records should be confidential. Your doctor can, though; and the fact that he is in a position to harm you is really what is meant (at a system level) when you say that you trust him. You may have a warm feeling about him, or you may just have to trust him because he is the only doctor on the island where you live; no matter, the DoD definition strips away these fuzzy, emotional aspects of `trust' (that can confuse people).

(Emphasis added.)

So, to be more precise, I should say that the thought experiment asks whether you can have a trusted computing system which helps make your computer more worthy of your trust, without allowing your computer to do things you don't want it to do. In the more technical sense, you already trust your own computer all the time, which doesn't have anything to do with whether your computer is secure. (If you trust an insecure computer -- for example, by typing a passphrase on a machine with a keylogger installed -- you might suffer some adverse consequence.)

The owner override idea is directed toward one part of that question, but the other part is also interesting. Is it reasonable to trust a computer which hasn't been under your physical control at all times? (At the airports, they've stopped asking whether your bags have been under your control at all times since you packed them.) Is it reasonable to trust a computer which is owned and regularly physically controlled by another person? People constantly do trust computer equipment which isn't theirs; by doing so, though, they expose themselves to certain risks. Can those risks be eliminated?

Here's another example: you go to a random terminal, and you want to use it to connect to your own computer. You will have to trust that the terminal will let you use services on your machine in a way which respects your privacy.

With something like Palladium, the machine can show you a user interface which suggests that it's trusted to be running a particular platform. (In our second Microsoft meeting, we talked a little more about the user interface question.) But if that user interface is widely known and standardized, it can presumably be faked -- and if a machine normally lights a LED or something to show that it's in a certain mode or running certain software, that LED can be faked, too. (It's easy enough to find the LED's leads and connect them to a power supply instead of to the pins on the motherboard which are supposed to be indicating something about the current CPU or chipset operating mode!) In some scenarios, the user interface can share a secret with the end-user, but that doesn't seem to help much if the end-user is currently using a physically different machine from his or her own home box! (Sharing a secret with the user interface is helpful only when the user interface is provided by a device which knows the secret, which is not the case in the remote login situation.)

However, there is a possibility which was suggested at one point by Microsoft: your machine can make a cryptographic challenge to try to determine some characteristics of the device from which you're trying to connect (so that, if you don't get a connection, you know something is up, and in any case access won't be granted). The terminal could still steal your password, but the use of one-time passwords (with trusted password-calculating devices) or other trusted authentication hardware, like smart cards, can prevent your password from being taken in this way.

In addition, Palladium is going to provide a secure I/O feature, so the client software on the terminal you're trying to use (which can prove its identity to your server) can read your keystrokes and your server can know (when it grants you access) that you're accessing it using a hardware and software combination which sends your keystrokes only to your server, and your server's responses only to your eyes. That sounds pretty good, and your server can enforce this policy by forbidding connections entirely from systems which fail the relevant challenges (which can't prove that they are running certain software in a certain mode with certain capabilities). So far, so good.

However, we already know that secure I/O can be defeated by hardware attacks. If a recording device is placed in hardware between the keyboard and the motherboard, or inside the keyboard itself, the fact that the motherboard and software haven't been modified won't protect you! So your server can correctly authenticate the hardware and software platform of the terminal you're using to connect, while knowing nothing of the hardware bug which has been placed inside the keyboard you're using to talk to the terminal.

So it might be that there is no ultimately reliable way to trust someone else's hardware (or, "don't make a phone call on someone else's embassy's telephone, even if it's a secure phone").

The idea of a world in which the end-user's PC is irrelevant, yet the user still has strong security assurances, seems implausible to me. Some of the trusted computing advocates who have come to talk to us have imagined that world, and suggested that you could use essentially any device to access essentially any service -- the individual computer would become more fungible. But because of the new platform authentication capabilities which would become available, the security properties of the resulting interactions would be verifiable, and verifiably what end users would want them to be.

But that doesn't make sense if people can and will modify hardware -- keyboards and monitors -- to subvert Palladium or LaGrande secure I/O! A device like KeyGhost will be really cheap soon. (In fact, the basic version is already under $100.) KeyGhost even sells entire keyboards with the monitoring hardware built into the keyboard -- and tries to make their keyboards look indistinguishable from any other keyboard. So in some sense it is really not going to be ultimately safe to trust someone else's equipment.

I say this realizing that the status quo is not any better, and is probably worse. I used ssh to connect during my trip to Portland and Walla Walla, so I can claim that my communications were "secure". I even memorized part of the ssh host key fingerprint for the machine I was connecting to. But I connected from at least five machines whose software configurations I had no way to verify at all and which could all easily have been running keyloggers or screen grabbers.

Trusted computing systems could raise the bar slightly. For example, they could require the use of a hardware keylogger instead of a software keylogger, which would then cost $89 instead of $0. But attackers can be fairly determined, and Bunnie argued that hardware attacks do not imply a fundamentally greater sophistication or skill, only an incrementally higher cost (for physical fabrication of a device, whereas the marginal cost to duplicate software approaches zero). I'm not sure that trusting hardware instead of software, when the hardware is owned by someone else and remains outside of your physical control or supervision, is going to be any better in the long run.

A better solution is probably to have a minimal amount of physically small hardware which you trust, with both input and output capabilities which you also trust -- something like a PDA or a laptop -- and an untrusted network to which it's always easy to attach that device.

This isn't always going to be practical.

I was talking to several people about my claim (which Felten linked to) that trusted computing systems don't diminish your computer's usefulness as a "general purpose computer". I said that a Palladium machine or a TCPA machine or whatever is definitely still in every sense a general-purpose programmable computer. (In fact, it's usually still a general-purpose computer even when it's running in a trusted mode -- although the argument is made even easier by the fact that these systems all are supposed to allow you to use the computer in a traditional mode with the trust features disabled.)

If you want to focus on DRM applications built on trusted computing, and see the technology as a conspiracy against users, I have an analogy which shows how you still keep general-purpose computing. This analogy makes a lot of sense to me, and maybe it will make a lot of sense to you. The analogy is partly metaphorical because it's not a technical description of the implementation of a trusted computing system; it's just a description of one outcome which is attainable.

Right now, you might have several different electronic devices at home; maybe one of them is a computer and another is a stereo, or a DVD player, or a VCR (preferably one which was manufactured some years ago and does not conform to the requirements of 17 USC 1201(k)). Each of these devices is shipped in its own separate box.

But, in the future, instead of having just "a computer" in one box and "a proprietary media player" in another box (like a DVD CCA-licensed DVD Video player, or DiscoVision), you can imagine that you get a computer as one component and a proprietary media player as a second component. These components are then bundled together in one box. You could implement this in such a way that the two components are entirely unaware of one another, but we'll assume instead that the components know of one another's existence. They can communicate via some kind of open standard interface, which we could imagine is PCI or FireWire. (That's not how this is actually implemented, but this is a metaphor, remember?)

In that case, when you want to use computer features, you just flip a switch or type a command or otherwise perform some action on some user interface so that you're talking to the "computer" component. And you can tell the "computer" component what you want it to do, and it will do it for you, just the way it does now. When you want to use some proprietary media, you flip the switch or perform the action so that you're talking to the "proprietary media player" component. Now you can ask it to play proprietary media, and it will do that, but you can't ask it to do certain other things for you, because that component isn't the computer component, and it doesn't understand how to do those things, or it isn't willing to do them. You can also use the two components together in certain ways. For example, you could use the computer component to download encrypted documents over the Internet. The computer component doesn't understand how to read these documents, because it doesn't have the decryption key, but you can ask the computer component to send these documents over to the proprietary media player, which may possibly have the appropriate decryption key and may be able to decrypt and display the contents of those documents, subject to various arbitrary and irritating restrictions.

The proprietary media player can thus make use of the computer to get certain (untrusted) network and communications services, and possibly certain (untrusted) storage services, and possibly certain user interface services, and so on. But the computer component in general doesn't trust the proprietary player component, and the proprietary player component in general doesn't trust the computer component. They are separate in design and separate in functionality, and neither one can see inside of the other and neither one can control the operations of the other. They can communicate only over a precisely-defined communications interface which doesn't put either device in control of the other device.

If you want, you can choose never to use the proprietary player, and only use the computer component. The computer component will continue to function normally as though the proprietary player weren't there at all; of course, it will continue to play non-proprietary media. If you get a copy of a suitable decryption key, or you run suitable decryption software, you can even use the computer component to decrypt and play proprietary, encrypted media. The proprietary player can't stop this -- it can't even tell that you're doing this, because it can't look inside the computer. And there's a corresponding limitation: the computer can't look inside the proprietary player to try to extract keys or to try to extract decrypted information. If you want to try to break an encryption system, using the computer component, you will be on your own; the proprietary player won't give you any additional information you didn't already have.

The point of this metaphor is that it's possible to have general-purpose computing functionality, which is under your control, packaged in the same box with some additional functionality which is not general-purpose and which is not under your control. And if you do this, you might get something which it is possible to see both as a benefit and as a disadvantage. The most obvious disadvantage is that, if the combination became widespread, publishers might eschew open standard formats which the computer component could read, in favor of proprietary formats which only the proprietary player component could read. (They wouldn't be able to get away with that if nobody had the proprietary player component in the first place!) This outcome would tend to give you less flexibility, power, and control, and diminish the benefits which you would otherwise have achieved with general-purpose computing. But you would still have general-purpose computing capability and the ability to write and run competing software.

As I argued a few days ago, you still have Turing-completeness (but for that little detail about needing an infinite amount of RAM) -- you can build a Turing machine and you can paint it blue, and it's still a Turing machine, or you can build a Turing machine and put it in a box with some other kind of machine, and it's still a Turing machine. Maybe the other kind of machine is something you find very distasteful, and maybe the other machine will be used for something you consider quite nefarious, but the Turing machine is still a Turing machine.

I had a lot of time to read while I was on trains and airplanes recently, so I read the entirety of Harmful to Minors, by Judith Levine. Levine's book is dedicated to arguing that children's sexuality and sexual experience is legitimate and can be a positive thing, and that attempts to suppress it or pretend it doesn't exist can have negative consequences.

I was surprised at how much of the book was dedicated to discussions of sex education. The other surprise was Levine's insistence that childhood sexual experience is reasonable and appropriate. (Less radical advocates often suggest that childhood sexual education, knowledge, fantasy, desire, discussion, etc., are appropriate, but physical contact may not be. For example, many people I know think that young people should be able to view explicit discussions and depictions of sexual acts, if they want to, but not necessarily to participate physically in those acts themselves. Levine has a much more radical sex-positive view and does not seem to want to be held to a sharp distinction between ideas, images, and acts.)

She spends a great deal of time talking about safe sex and birth control, which reminds me of the passage in Summerhill where Neill seems to suggest that he can't allow the young students at his school to have intercourse because they might become pregnant -- but he doesn't necessarily see an abstract reason why they shouldn't do so otherwise. (Neill wrote in an era when birth control and abortion were less widely available, and less reliable, than they are now, to say nothing of their unpopularity. Maybe if birth control and abortion services had been readily available, Neill would have chosen to permit his students to have sexual intercourse! When I attended boarding school, I felt subjectively that the school's attempts to discourage sexual contact were less a result of concern about sexual morality or emotional development and more a result of concern about pregnancy. This is in line with Neill's suggestion that pregnancy was his greatest fear for his students; I suspect that many schools would turn more of a blind eye to older teens' sexual activity if the "outward consequences" of pregnancy and STDs could be eliminated.)

Since I had more interest initially in topics like Internet censorship, I regretted that Levine spent so little time on them. She also gave too little attention to questions of emotional development and maturity (what liberals often worry about when thinking about young people's sexual activity), since she had such a strong focus on dissing conservatives' moral anxieties and promoting safe sex and sex-positive attitudes.

What do young people in the U.S. actually believe about sexuality, and why? What are the influences of religious and political belief, educational background, social class, temperament, personal and family experience? (There are many anecdotes about young people's beliefs, but usually in the service of some particular argument. And the statistics provided are more often about behaviors than about attitudes and beliefs. I wanted to know more about what sexuality means to people, a question Levine sometimes seemed to be neglecting.)

I also re-read From the Mixed-Up Files of Mrs. Basil E. Frankweiler, a children's book I'd read in elementary school. I think I found it more plausible, and more exciting, the first time around, although there are some parts which continue to be touching.

I'm now working on Lakoff's Moral Politics, which I got as a birthday present; I'll write more about that when I finish it. I've also borrowed some interesting books from Amy, and I'm hoping to keep working on Personal Knowledge, which I put aside a while back.

I was in D.C. for several days, and a lot of things happened, and I found my trip extraordinarily worthwhile.

Thanks!

"Fair Use" or "Lawful Use"? Oh, definitely call it "lawful"! Everybody in this town worries about what's lawful, but nobody cares about what's fair.

(a D.C. journalist)

[Main]
Support Bloggers' Rights!
Support Bloggers' Rights!


Contact: Seth David Schoen