Microsoft security chief trapped in endless identity sales pitch Microsoft on Tuesday gave the world a sneak peak at technology it said would streamline the process of validating people's identity without compromising their privacy. Code-named Geneva, the software provides a framework for schools, businesses, and other large organizations to more safely manage sensitive data about their …
""Initially, my friends laughed because I used Microsoft and security in the same sentence," he said. "But it turns out in the years that followed I think we've proven we're very serious about security." "
Being serious about security, and being good at it are not one and the same... and vice versa.
I think this End to End Trust will end many things, like:
- ability to use software you want (sorry, we, Microsoft, don't trust that company)
- ability to publish software (sorry, your company is not a reputable company, hence your software cannot run on our users' systems, unless you pay $$$$)
- ability to use "alternative" operating systems (sorry, your OS does not support my trusted computing chip on this motherboard, so I won't work)
- ability to build your own computer (sorry, this hard disk does not support trusted computing, so it won't work with this motherboard)
- ability to play/view any (online) media (sorry, you can't view this content, because your computer is not trusted)
In other words, this End to End Trust initiative is about big corporations trusting you, not the other way around. It will severely limit the amount of control and choice you have over your own hardware and software. This is vendor lock-in times 10. Be wary.
A chain of trust is only as secure as its weakest link, and sorry, MS ain't good enough. Waaaaay too much marketing and not enough substance, especially taken into account the vast number of specialists they have bought from the competition.
Security starts with trust, and that's where it all falls down already.
I have yet to find any company that can secure data with bullshit. I'm sure that MS would have invented that already if it was possible, because that's what they're very, very good at.
Heck, I'd even call them world leading in that respect.
Nice try, but thanks.
Very true, but where Microsoft is concerned, it is very black indeed.
Especially when a Microsoft mouthpiece has the gall to spout such nonsense as "we've proven we're very serious about security". Buddy, the only thing you've proven up to now is that security is the worst thing you do. Seriously.
A bit short on information about Geneva, this article, but I believe the technology has been around for a damned long while: See http://www.schneier.com/blog/archives/2008/02/credentica.html. It would be pitiful if Microsoft's implementation were to become the standard just because only they can get businesses interested.
"Trust, Charney argued, isn't a black-or-white thing." Wrong - it is binary - but does depend on the impact of what is being trusted and to whom.
"It may be perfectly OK to trust an unknown street vendor with a credit number" - Well, you're a damned fool if you do without taking some scaled precautions. You may find you're liable under your CC terms and conditions.
"that caps fraud losses at $50". Who's loss? It may be the max the card holder might directly lose but the credit card company may not be able to recover the money you lost it. Indeed, the credit card insurer may have to raise premiums and, thus, either way I get to pay increased charges.
"Turning over a bank-account number to the same salesman might be altogether different." Well slap me down with a fish - I didn't think about that.....!
Seriously though, as other posters have noted, this isn't about protecting the"average Joe" punter its about protecting the corporate entities and making the cost of entry so high that only the most persistent, expert, or largest can rip you off.
It is a tool, not a Silver bullet. In time it will be circumvented and is just another step in the arms race.
MS are selling but in doing so are changing the pitch & stadium so that the rules have to change. They can do so because they are, in effect, the only game in town. You may not like it, you may strongly object, you may do all sorts of things but you are unlikely to be able to change things.
Security is mainly a personal thing. Look after yourself, press your Government and politicians to look after your interests but DO NOT expect commercial enterprises to be altruistic or you will be unsurprisingly disappointed......
I agree with all that's written above...
and this is exactly the way that the appstore works for the Iphone,
device manufacturer, only allows certain apps, that they deem appropriate, and you get to pick and choose from what they let you.
I'm not bashing apple for this, I'm just saying that the model that seems to be described here where big business can sign their apps so that they are 'trusted' already exists and most people accept it.
those that don't accept it have to run untrusted apps to break the trust association meaning they can install from anywhere, (jail breaking).
it's be a shame if the PC market went down this route as well. because surely the best thing about the PC market is that you can install what you like, when you like, your machine your business...
certainly I note that I have a lot of tools on my work laptop that the AV reports as possible hacking tools, but are in fact pretty useful apps that I use to do my work... how long before we can't use certain tools because MS decide that they don't like/won't sign them?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
