Is it possible to imagine a Trustless Computing Group that deploys the same kind hardware-level security standards deployed to-date by the (un)famous Trusted Computing Group – but (a) intrinsically user-accountable (b) severely hardened and (c) extended to manufacturing process oversight – to guarantee concurrently users privacy AND content rights owners copyrights via user-verifiable security assurance processes?
The term “trustless computing” is chosen because it concurrently mean (a) the opposite of Trusted Computing ™ – which the user can’t trust as they could not verify or analyse it, and content providers couldn’t trust as it go broken all the time – and (b) a “computing that does not require trust in any person, entity or technology”, that carries to the ultimate the proposed Trust No One model by US security expert Gibson.
The Trust Computing Group has over the last decade has deployed 2,121,475,818 devices (today’s count on their website) which contain hardware, firmware and software technologies that cannot, in their entirety, be legally (in US) and/or practically verified openly by third parties, and therefore most surely full of vulnerabilities resulting from malicious actions – by NSA and many other parties – from incompetence and/or from luck of open public oversight and testing. As history has shown.
In addition to its not sufficient trustworthiness, 2 main contradictions of Trusted Computing are still completely there and unresolved, since its inception over a decade ago: (1) DRM (and other trusted computing) keep on getting broken. Nonetheless, content owners are fine since its technical weakness was solved by Apple and similar strategies that made their entire platforms a DRM systems (what Schneier calls feudal security model) and/or by making it impractical enough for the average user to widely consume pirated content on commercial entertainment computing devices.; (2) It’s negative impact on users privacy remains intact and unresolved. Nonetheless, it has become more and more evident to everyone over this decade – and even more since Snowden – that the hardware and software technologies we use are so vulnerable or broken – and the business model of most B2C cloud services so catastrophic for user – that DRM is rightfully perceived as just one more of so many many vulnerabilities that are there already, and therefore not worth fighting against.
This week, Trust Computing Group claimed that their model is the right model “to solve today’ most urgent cybersecurity problems” such as those that have emerged since Snowden revelations, as for example those caused by vulnerabilities in widely used critical free software like OpenSSL.
Of course, this must be a joke, since the most urgent cyber security needs actual security of end-to-end systems to protect against security and privacy breaches that can cause grave damage to citizens or state agencies, and not failed technologies standards that have been the prime movers of hardware-level security-through-obscurity paradigms, that has produced what we are know discovering as a completely broken computing industry where commercial computing is way more complex that it can ever be assured for security, and vulnerabilities abound in all devices hardware and software levels, with the high probability that a significant number of actors in any nation, and not just NSA, has access to many of them.
What if instead we flipped it over, and created a standard body named Trustless Computing Group based on free software and hardware-based security-through-transparency paradigm, that would use the same user-verifiable processes to guarantee (1) unprecedented privacy and freedom to user, and (2) unprecedented security to the content owner!? Why can’t the same assurance socio-technical processes guarantee both users data and content owners data?!
Alternative names for it:
User Verified Telematics?!
Got any suggestions? …
Nov 24th 2015 UPDATE : The User Verified Social Telematics has been renamed into Trustless Computing (here is why in a post), and we have started setting up such proposed Trustless Computing Group, with the name of Trustless Computing Consortium.