Month: March 2005

The three largest computer makers–Dell, Hewlett-Packard and IBM–have started selling desktops and notebooks with so-called trusted computing hardware, which allows security-sensitive applications to lock down data to a specific PC. But Microsoft’s plans to take advantage of the technology have been delayed, meaning the software heavyweight likely won’t get behind it until the release of Longhorn, the Windows update scheduled for next year.

That leaves hardware makers in a rare position: They are leading Microsoft, rather than working to support one of the software giant’s initiatives.

“Our success is not dependent on Microsoft,” said Brian Berger, executive vice president at security company Wave Systems and the marketing chair for the Trusted Computing Group. “When Microsoft comes on board with some of what they have talked about, it will be that much better, but this is not a Microsoft-centric activity.”

The Trusted Computing Group, the industry consortium that sets specifications for the specialized hardware, has had to rely on other software makers to demonstrate the benefits of running a trusted PC. Largely a footnote in 2004, the technology is set to take off this year, with the top three PC makers shipping laptops and desktops equipped with hardware security.

Dell, the last holdout, announced that it had added the security technology to its latest line of notebooks on Feb. 1.

In 2005, more than 20 million computers will ship with the trusted platform module, up from 8 million in 2004, according to estimates from research firm IDC.

The technology locks specialized encryption keys in a data vault–essentially a chip on the computer’s motherboard. Computers with the feature can wall off data, secure communications and identify systems belonging to the company or to business partners. That means companies can improve the security of access to corporate data, even when the PC is not connected to a network.

Microsoft is a significant proponent of trusted computing. When it first publicized plans in 2002 to create a security technology known as Palladium, it said that its software component might be released as early as the end of 2004. At the time, digital-rights advocates raised concerns that the technology could be used by software makers and media companies to control people’s PCs, putting Microsoft on the defensive.

What’s new: The top three PC makers have started selling models with encryption hardware, even though Microsoft’s software for the technology has hit delays.
Bottom line: That leaves hardware makers in a rare position: They are leading Microsoft, rather than working to support one of the software giant’s initiatives.

http://news.com.com/Hardware+security+sneaks+into+PCs/2100-7355_3-5619035.html?part=rss&tag=5619035&subj=news

Classified information could not be processed on insecure computers, classified documents had to be stored in locked safes, and so on. The procedures were extreme because the assumed adversary was highly motivated, well-funded and technically adept: the Soviet Union. You might argue with the government’s decision to classify this and not that, or with the length of time that information remained classified. But if you assume the information needed to remain secret, the procedures made sense.

In 1993, the U.S. government created a new classification of information–Sensitive Security Information–that was exempt from the Freedom of Information Act. The information under this category, as defined by a Washington, D.C., court, was limited to information related to the safety of air passengers. This was greatly expanded in 2002, when Congress deleted two words–“air” and “passengers”–and changed “safety” to “security.”

Currently, there’s a lot of information covered under this umbrella. The rules for SSI information are much more relaxed than the rules for traditional classified information.

Before someone can have access to classified information, he must get government clearance.

Before someone can have access to SSI, he simply must sign a nondisclosure agreement, or NDA.

If someone discloses classified information, he faces criminal penalties.

If someone discloses SSI, he faces civil penalties.

SSI can be sent unencrypted in e-mail; a simple password-protected file is enough.

A person can take SSI home with him, read it on an airplane, and talk about it in public places.

People entrusted with SSI information shouldn’t disclose it to those unauthorized to know it, but it’s really up to the individual to make sure that doesn’t happen.

It’s really more like confidential corporate information than government military secrets.

The U.S. government really had no choice but to establish this classification level, given the kind of information it needed to work with. For example, the terrorist watch list is SSI. If the list falls into the wrong hands, it would be bad for national security. But think about the number of people who need access to the list. The U.S. government really had no choice but to establish this classification level, given the kind of information it needed to work with. My guess is that more than 10,000 people have access to this list, and there’s no possible way to give all of them a security clearance.

Either the U.S. government relaxes the rules about who can have access to the list, or the list doesn’t get used in the way the government wants. On the other hand, the threat is completely different. Military classification levels and procedures were developed during the Cold War and reflected the Soviet threat. The terrorist adversary is much more diffuse, much less well-funded and much less technologically advanced.

SSI rules really make more sense in dealing with this kind of adversary than the military rules. I’m impressed with the U.S. government’s SSI rules. You can always argue about whether a particular piece of information needs to be kept secret, and how classifications like SSI can be used to conduct government in secret. But if you take secrecy as an assumption, SSI defines a reasonable set of secrecy rules against a new threat.

http://news.com.com/Common+sense+on+security/2010-7348_3-5616209.html?part=rss&tag=5616209&subj=news