[Full-disclosure] Apple TPM need for disclosure

[PCSC Information Services]

Hey p33ps,

Now before you size me for a tin-foil hat, (7 1/2 btw) you might want  
to follow up on this, because it's a major exposure.
The Trusted Computing Group (trustedcomputinggroup.org)  is rapidly  
ushering in a new Trusted Platform Module.
I'm sure that many of you are aware of this technology. A thorough  
reading of the specification is quite refreshing and
there are many excellent benign uses for the technology as specified.  
These include a secure file system implementation,
secure drivers, and a difficult to hack environment due to the tamper  
proof package of the chip itself.
The TPM architecture overview repeatedly calls for owner opt in/out  
for the platform.
The very approachable TPM FAQ https://www.trustedcomputinggroup.org/ 
faq/ states:

What has the TCG done to preserve privacy?
TCG believes that privacy is a necessary element of a trusted system.  
The system owner has ultimate control and permissions over private  
information and must "opt-in" to utilize the TCG subsystem. Integrity  
metrics can be reported by the TCG subsystem but the specification  
will not restrict the choice and options of the owner preserving  
openness and the ability of the owner to choose.

The TCG specification will support privacy principles in a number of  
ways:

The owner controls personalization.
The owner controls the trust relationship.
The system provides private object storage and digital signature  
capability.
Private personalization information is never exposed.
Owner keys are encrypted prior to transmission.
It is also important to know what the solutions are not:

They are not global identifiers.
They are not personalized before user interaction.
They are not fixed functions—they can be disabled permanently.
They are not controlled by others (only the owner controls them).
Apple has not provided any end user controls, none, nor has it  
documented it's use of this technology.
Furthermore, Apple has not provided any feedback regarding a  
legitimate complaint to the privacy officer with respect
to their implementation.

Even more damning is that this TPM has the capability of setting up a  
transitive trust relationship, which will allow enterprise
system administrators full remote audit and administration. Microsoft  
is aiming to use WMI for this purpose, Apple is using?

The TPM installed in my machine isn't owned by me. I want control of  
this device. I'm sure other iMac users might be surprised at this  
implementation too. The implications are quite profound here. Can we  
get some disclosure?

PCSage Information Services
name withheld to protect the innocent



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060208/56ac40b5/attachment.html