ISPI Clips 8.38: Intel's Pentium III Processor, Embedded Security & Privacy Issue (fwd)
Apparently not many ppl find this idea disturbing...I wonder if they're
going to provide info on how to disable this to the Linux community?
---
We have only two things to worry about: That things will never get
back to normal, and that they already have.
D'jinnie/Jinn, encountered on IRC and select MU**. (jinn@irony.org)
finger jinn@irony.org for PGP public key
---------- Forwarded message ----------
This From: CNET News.com, January 22, 1999
http://www.news.com
Trials Set for Intel's Embedded Security
http://www.news.com/News/Item/0,4,31309,00.html?dd.ne.tx.ts3.0122
By
Michael Kanellos and Tim Clark
Staff Writers, CNET News.com
The security codes to be embedded in Intel's Pentium III processor can
potentially be misused to identify and collect data on Web surfers, some
privacy advocates warn. But Intel argues that the technology will actually
make the Net a safer place.
The controversy has emerged as 30 Web sites prepare to conduct trials of the
processor, to be released in February. Critics claim that the number scheme
can be used to monitor the Internet habits of virtually anyone with a
modern, Intel-based computer.
Intel [ http://www.intel.com/ ] countered that the serial number will
actually improve security. The Web sites in the trials, for instance, will
use the serial number as a third form of identification, complementing the
user name and password schemes currently in place, said Pat Gelsinger,
corporate vice president of the Desktop Products Group at Intel. Ideally,
hackers couldn't just assume your identity by swiping your user name and
cracking a password; they would have to steal your computer as well.
In any event, Intel won't be stepping into the shoes of Big Brother any time
soon, Gelsinger added. "We are not keeping those processor numbers in any
form at all," he said, which means Intel shipping records won't be turned
into a police log. Users can also disable and re-enable the serial number
scheme at will.
The plan was developed as a way to provide greater security for PC
transactions and communications, said Gelsinger. Intel will imprint a 96-bit
identification number on Pentium III chips and their successors. The number
cannot be erased, but users will be able to choose whether to disable the
feature or to keep the number active to be "read" for identification by
outsiders.
Web sites, for example, may require user name, password, and processor
serial number before giving access to certain pages. An agent from the Web
site reads the processor number to ensure authenticity.
The number will therefore foil common hacking techniques because hackers
will have access to the PC so that the agent can read the identification
number. The numbers can also be used to lock out users who have been kicked
out of chat rooms and re-registered under a new name.
Identification, Gelsinger said, is also a voluntary process. A blue number
sign will appear in the Windows control shelf [the series of icons at the
bottom right corner of the screen] whenever the serial number is enabled. By
clicking the icon, users can pull up a control panel to disable it so
outside agents can't read the serial number. Turning it off may prevent
access for certain transactions, he said, but it returns anonymity. Users
can then re-enable the number by re-booting.
Most computers, however, will likely be using the enabled setting as their
default. "Our customers have been asking for this for years," Gelsinger
said.
Will the system give Intel or its partners the power to monitor PC users?
No, Gelsinger said. The company is not keeping a record of the serial
numbers, so records cannot be used to trace Internet use. In addition, the
numbers are technically serial numbers anyway. A program generates them
randomly and they do not fall into a simple ordering sequence.
Privacy advocates, however, see a high potential for misuse in the system,
although they admit that the specific negative implications of the scheme
are difficult to pin down because it hasn't rolled out yet. Many also seem
to fear retribution from the company. Few are willing to go on the record so
far.
"Intel's product has some serious security and privacy implications. It is
really incumbent on the folks who are developing technology, folks in the
policy community, and folks in advocacy community to look at code as having
serious social implications," said Deirdre Mulligan, staff counsel at the
Center for Democracy and Technology, a nonprofit civil liberties
organization focusing on the Internet
"The hard part is figuring out the implications. Until it's put out into the
marketplace, it is difficult to tell," she added. "Like law, software code
has great social implications for privacy and speech."
Gelsinger, in fact, acknowledged that Intel's decision to not keep a
database on these numbers is strictly voluntary. There is technically
nothing stopping the company from keeping a registry. Computer companies
could do the same, he allowed, although he said he believes business
considerations weighed against tracking these numbers, as they did with
Intel.
Copyright © 1995-99 CNET, Inc.
--------------------------------NOTICE:------------------------------
ISPI Clips are news & opinion articles on privacy issues from
all points of view; they are clipped from local, national and international
newspapers, journals and magazines, etc. Inclusion as an ISPI Clip
does not necessarily reflect an endorsement of the content or opinion
by ISPI. In compliance with Title 17 U.S.C. section 107, this material is
distributed free without profit or payment for non-profit research
and educational purposes only.
---------------------------------------------------------------------------
ISPI Clips is a FREE e-mail service from the "Institute for the Study
of Privacy Issues" (ISPI). To receive "ISPI Clips" on a regular bases
(1 - 6 clips most days) send the following message "Please
enter [Your Name] into the ISPI Clips list: [Your e-mail address]" to:
ISPIClips@ama-gi.com .
The Institute for the Study of Privacy Issues (ISPI) is a small
contributor-funded organization based in Victoria, British Columbia
(Canada). ISPI operates on a not-for-profit basis, accepts no
government funding and takes a global perspective.
ISPI's mandate is to conduct & promote interdisciplinary research
into electronic, personal and financial privacy with a view toward
helping ordinary people understand the degree of privacy they have
with respect to government, industry and each other.
But, none of this can be accomplished without your kind and
generous financial support. If you are concerned about the erosion
of your privacy in general, won't you please help us continue this
important work by becoming an "ISPI Supporter" or by taking out
an institute Membership?
We gratefully accept all contributions:
Less than $60 ISPI Supporter
$60 - $99 Primary ISPI Membership (1 year)
$100 - $300 Senior ISPI Membership (2 years)
More than $300 Executive Council Membership (life)
Your ISPI "membership" contribution entitles you to receive "The ISPI
Privacy Reporter" (our bi-monthly 12 page hard-copy newsletter in
multi-contributor format) for the duration of your membership.
For a contribution form with postal instructions please send the following
message "ISPI Contribution Form" to ISPI4Privacy@ama-gi.com .
We maintain a strict privacy policy. Any information you divulge to ISPI
is kept in strict confidence. It will not be sold, lent or given away to
any third party.
Reply to: