[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) FC: Ethernet IDs are unique too; responses to Intel



------- Forwarded Message Follows -------
Date:          Mon, 01 Feb 1999 16:23:03 -0500
To:            politech@vorlon.mit.edu
From:          Declan McCullagh <declan@well.com>
Subject:       FC: Ethernet IDs are unique too; responses to Intel ID chip
Reply-to:      declan@well.com


***********

Date: Tue, 26 Jan 1999 17:55:05 +0000
From: Karl Auerbach <karl@CaveBear.com>
To: Declan McCullagh <declan@well.com>
Subject: Re: FC: Time to boycott Ethernet too? 


You didn't clearly mention it, but the Ethernet (MAC) address found on
*any* computer on an ethernet is a unique (hopefully) and stable machine
identifier.  (The number is usually on the adaptor card itself.)

But it is never (OK, rarely) carried beyond the local LAN.

By-the-way, I have a host a rather large collection of the IEEE
assigned MAC vendor codes at http://www.cavebear.com/CaveBear/Ethernet

  --karl--

***********

From: rongus@tiac.net (Ron Gustavson) 
To: declan@well.com 
Subject: Re: FC: Time to boycott Ethernet too?
Date: Wed, 27 Jan 1999 05:47:58 GMT 


Bob wrote:

>>[I'm also not a fan of Intel's move, but I think it's reasonable to note
>>that every computer with Ethernet hardware has a unique ID number that some
>>programs have used for at least a decade to thwart piracy, for instance.

and KM wrote:

>Second, the hardware (where Intel comes in) doesn't talk directly to the 
>network.  The real issue is browser support for this functionality, and 

I'd like to hear more about Pentium III before reacting, but this ID
number should be seen in light of Intel's Wired for Management 2.0
spec. ( http://developer.intel.com/ial/WfM/wfmspecs.htm )

The WFM initiative allows MIS personnel to access remote PCs at
sub-OS level.

Here they can start up and reboot  PCs remotely, over NIC or
modem, and install applications, drivers--or even the OS--from a
disc image. 

When a WFM PC is shut off, it enters a "soft off" where it can be
accessed by IS. To reach a mechanical off state might require an
override switch, located in a pinhole or something.

While aimed at corporate networks, could these utilities perhaps
be used [or abused] to police future consumer PCs as well?


***********


From: leavitt@webcom.com 
Subject: Re: FC: Time to boycott Ethernet too? 
To: declan@well.com 
Date: Tue, 26 Jan 1999 14:20:31 -0800 (PST) 

DeClan,

I guarantee you that if CPUID is there, and in the browser/client, it
won't be feasible to turn off... merchants will demand it, and just
like only strange people put up with sites "asking" about cookies (how
practical is your browser when you have to click dozens of times each
session to say yes or no to cookies, and web sites start acting wierd
when you reject them, and your vendor e-commerce systems require
them?)

The thing is either there, and available, or not.

>From a system admin's perspective, tying software to a CPUID is way way
way annoying... which CPU ID does it get tied to in a multi-CPU
system? The first one? Oh, and are we going to be happy when the first
CPU dies and all the software becomes dysfunctional? All of them? What
happens when swapping out the two CPUs in the system requires new
licenses for every piece of software on the system? I hated dealing
with that stuff on Suns, it was a major pain in the ass... every time
I wanted to move stuff, I had to deal with their license bureaucracy
and go dig through the manual to figure out how to do stuff.

Do that for the average consumer's PC, where they don't keep track of
the licenses much anyway, even for the legit stuff, and then have to
deal with vendors saying, "oh, that version isn't supported anymore,
you'll have to upgrade" and you'll rapidly wind up with pissed off
customers.

Intel has a right to prevent piracy, yes, and anti-theft stuff is
cool... but, you can extend the logic to everything... every piece of
software running on your PC could be required to authenticate itself
with a Internet network server... shareware would have "teeth",
freeware (and other software) authors could get an idea of how many
people are using their applications, and how often, and hell, on what
type of computers with what type of configurations, and what functions
they are using (the bigger the bandwidth, the more data logged and
sent out)... the concept of a software license could have teeth.

Microsoft "we're raising the price of your MS Office subscription by
$300. Send us your payment now, or we'll turn off all your Office
installations one week from now."

Not going to happen? Well, *everyone* is against software piracy...
would corporate America say no to MS if the next version of Office
included this? (probably public outcry would stop it, but who knows?)

Regards,
Thomas Leavitt

***********

Reply-To: <austin@zks.net> 
From: "Austin Hill" <austin@zks.net> 
To:
<declan@well.com> 
Subject: Intel inside 
Date: Wed, 27 Jan 1999 15:07:49
-0500 

Hi Declan,

Just a couple thoughts & points that Ian Goldberg and the staff at
office have been discussing with regards to the Intel unique serial
number.

-Security for stolen PC's

I don't believe this claim (With regards to consumer stolen PCs, which
is how I've seen it reported).   The premise here is that if my PC is
stolen, then I can report it or it will show up as stolen the next
time the PC is connected to the Internet.   The flaw in this is
twofold.

a) If consumers have the option to turn off the reporting, then so do
criminals.  So the reporting doesn't work unless you assume that
everyone who turns off the option is a criminal.

b) If the serial number is not transmitted to Intel directly each time
the computer connects (Which I haven't heard is the case) it means
that all ecommerce sites, or sites that are able to ask for the serial
number will have to share this information with PC vendors and Intel
to track down stolen PCs.   This means a blacklist or central pooling
of serial numbers, as I'm sure you know this increases the amount of
information sharing between sites and creates a very bad precedent of
creating 'authorized' PC's and 'blacklisted' PC's.    What a great way
to pull a prank or harass someone.   Use BackOrifice, or walk by your
computer and get your serial number and then call Intel and report it
stolen, next thing you know you can't access certain sites.

(Note: In the area of large volumes of stolen chips, the serial number
can be effective since they can warn resellers not to purchase them
and have some way to increasing accountability with PC manufacturers. 
 I don't think that this extends to consumer PCs)


-Authentication for eCommerce

This is also a pretty bogus claim.   Serial numbers on PCs is NO WAY
to authenticate for eCommerce.    This assumes that everyone uses only
one PC, and only Intel Pentium III processor as well.   Is Intel
trying to convince everyone that Amazon, Buy.com and Outpost won't
accept my order if I purchase from multiple PCs?   Or that I'll have
to register each PC that I plan to use purchasing with Amazon?   Or
that Mac Users, Unix/Linux users, AMD or WebTV users will be treated
as second class citizens, not being able to access the same features? 
 This is ridiculous.   There is no benefit to eCommerce.   This is
marketing speak.

Proper user authentication is done with digital certificates,
usernames & passwords or authentication devices (Biometrics, token or
smart card based).

The real benefit for Intel I believe are based on two separate areas.

-Software licensing.
 -Per processor software licensing is something that software vendors
 would
like to have.    I still think it is an idea that is flawed, since you
would need tight integration with the OS and software to allow for
things like processor upgrades (i.e. I backup my software, switch
hardware and then restore my backup when upgrading my PC.  Would my
software work?).   With these types of scenarios there is just too
much ability to patch the software the same way current copy
protection systems are patched with cracks.

-Encrypted processor instruction sets

This sets the ground work for creating a security infrastructure
inside the chipset.   This would most likely include encrypted
software instructions and the ability for a processor to run encrypted
machine code.   This completely removes the ability to know what your
applications, operating system and processor are doing.    This is
very much a concern to us as it should be to anyone who is concerned
about security.

I'm surprised more people haven't pointed out or talked about how the
claims of eCommerce security & stolen PC retrieval are false.   I
think Intel has done a fabulous job of spinning this since everyone is
talking about turning the option on or off without questioning the
validity of why it is in there in the first place.

Just my 0.02

-Austin




______________________________________________________________________
___ Austin Hill                                   Zero-Knowledge
Systems Inc. President                                               
Montreal, Quebec Phone: 514.286.2636 Ext. 226                         
  Fax: 514.286.2755 E-mail: austin@zks.net                            
    http://www.zks.net

             Zero Knowledge Systems Inc. - Nothing Personal

PGP Fingerprints
2.6.3i = 3F 42 A2 0D AF 78 20 ED  A2 BB AD BE 8B 40 5E 64
5.5.3i = 77 1E 62 21 B3 F0 EB C0  AA 6C 65 30 56 CA BA C4 94 26 EC 00
keys available at
http://www.nai.com/products/security/public_keys/pub_key_default.asp
______________________________________________________________________
___


----------------------------------------------------------------------
---- POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo@vorlon.mit.edu with this
text: subscribe politech More information is at
http://www.well.com/~declan/politech/
----------------------------------------------------------------------
----