Re: Broken dream of mine :(

[Sam Mason]

On Mon, Sep 21, 2009 at 04:00:58PM +0200, Michal Suchanek wrote:
> 2009/9/21 Sam Mason <address@hidden>:
> > The point I was trying to make is that this doesn't work for "the
> > whole internet".
> 
> Well, this was discussed to death on another list (grub-devel).

Any pointers?  I found a couple of discussions, but they didn't look
very interesting.

> The
> admins typically do have physical access, and physical access makes it
> possible to launch quite a few attacks that are feasible with
> resources a system administrator would typically posses (spare
> hardware parts, digital voltmeter).

Yup, I wasn't trying to protect against the admin.  Just noting that it
will help to tell them when things are getting out of date.

> If you really want to protect against that you *need* physical
> security. And if you do have physical security you have to do the
> administration yourself anyway so the system need not protect against
> an administrator.

But you can't be sure that a remote attacker hasn't put a rootkit in
somewhere.  AFAIU, TPM should allow you to detect this.

> On the other hand, a TPM based verification is enough to lock out an
> average Joe User out of his computer.

I'd agree, I'm struggling to think of any use cases outside of high
assurance that would want anything to do with TPM.  But why does it
matter, in the above case the machine would just go into a loop when
logging into the network and the admin would realize and intervene at
some point and reimage the machine.  The normal user wouldn't be trying
to log into a network that cared and hence wouldn't be any the wiser
that anything was amiss.

I personally think that the media's perverted use of TPM has colored
most peoples' viewpoint of it.  There was a lot of good research that
went into it and it seems like a waste to throw it all away just because
the use that people initially heard about is particularly horrible.

-- 
  Sam  http://samason.me.uk/