Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
https://bitcoinmagazine.com/articles/op-ed-five-things-blockchain-firms-need-know-about-gdpr/
This guest post by Laura E. Jehl was co-written by Robert A. Musiala Jr. and Stephanie Malaska of BakerHostetler. Views expressed are those of the authors and do not necessarily reflect those of BakerHostetler or its clients .
This year, we’re witnessing the convergence, and perhaps the collision, of two powerful new forces in data privacy: the European Union General Data Protection Regulation (GDPR) and the emergence of blockchain-based privacy solutions. As blockchain technology firms continue to build new solutions, here are five key takeaways they should keep in mind about the GDPR.
Personal Data
The GDPR applies to “personal data,” which is defined as “any information relating to an identified or identifiable natural person (‘data subject’).” A “data subject” is a “natural person … who can be identified … by reference to an identifier … specific to the … cultural or social identity of that natural person.” Moreover, personal data explicitly includes “online identifier[s],” including IP addresses.
Takeaway #1: Essentially, almost any piece of data that can assist in learning something about someone is likely to be considered personal data.
Under the GDPR, personal data even includes data that has undergone “pseudonymization,” meaning that the data has been processed such that it “can no longer be attributed to a specific data subject without the use of additional information.” Encryption is considered to be a highly effective means of pseudonymization, and “public keys” on a blockchain which are associated with off-chain personal data are also likely to be considered “pseudonymized.” While the GDPR prefers encrypting data to achieve pseudonymization, that encryption alone does not remove the underlying data from the definition of personal data and, therefore, does not serve to avoid GDPR requirements.
Takeaway #2: If personal data stored off-chain can easily be connected to a public key used in a blockchain solution, the public key is very likely to be considered data that has achieved a state of pseudonymization but is still regulated as personal data subject to the GDPR.
Where personal data has been pseudonymized and the additional information needed to attribute the data to a natural person is “not available,” the GDPR indicates that the data may be considered “anonymous information” or “rendered anonymous.” Because the GDPR only regulates personal data, anything considered anonymous is thus exempt from the GDPR, which “does not … concern the processing of such anonymous information ….”
This provision suggests a path to conform blockchain solutions with the GDPR: If the blockchain architecture is designed such that public keys fit within the definition of anonymous information — by ensuring that any off-chain personal data is securely encrypted, and decryption is not available to permit re-association with the public key — processing of public keys may be exempt from the GDPR’s requirements, including the right of erasure.
Takeaway #3: Preserving the ability to have public keys deemed anonymous under the GDPR is arguably the most critical issue of concern for any company leveraging blockchain technology and dealing with personal data.
Controller vs. Processor
Entities subject to the GDPR have different obligations based on whether they are deemed a “Controller” or a “Processor” of personal data. In general, a Controller “determines the purposes and means of the processing of personal data,” while a Processor “processes personal data on behalf of the controller.”
The determination of whether an entity acts as a Controller or a Processor is activity-specific, not entity-specific. This means that, in different contexts, the same entity may be deemed a Controller, a Processor, or both a Controller and Processor. Controllers, as the entities determining the means and purposes of the processing, have significantly more obligations under the GDPR than do Processors. Most importantly, Controllers have the responsibility for implementing requests from individuals who want their personal data deleted, amended or transferred.
Takeaway #4: Companies leveraging blockchain technology should design their systems so that they avoid determining how and why data is processed, and thus avoid being deemed a data Controller.
The Rights of Data Subjects and the Lawful Basis of Processing Data
The GDPR gives data subjects various rights with respect to Controllers of their data. Chief among these are the rights to data portability (i.e., the right to take your data with you), rectification (i.e., the right to amend any incorrect data) and erasure (i.e., the right to be forgotten). In general, these rights can be exercised at the request of the data subject, although there are exceptions to some rights in certain cases, such as when the data is being processed or retained pursuant to a legal obligation.
The obligations of data Controllers to facilitate data subjects’ rights vary based on the lawful basis under which the data is processed. The processing of EU personal data must be supported by one of six legal bases, according to the purpose of the processing. These bases are:
Consent. Consent by the data subject to one or more specific purposes.
Contract. Necessary for the performance of a contract.
Legal Obligation. Necessary for compliance with a legal obligation to which the data Controller is subject.
Public Interest. Necessary for the performance of a task carried out in the public interest.
Vital Interests. Necessary for the protection of the vital interests of the data subject.
Legitimate Interests. Necessary for the legitimate interests of the Controller or a third party, unless overridden by the fundamental rights and freedoms of the data subject.
Because consent may be withdrawn at any time, requiring deletion of any personal data collected on the basis of that consent, it is not an advisable or reliable basis for processing personal data that will be entered onto a blockchain. Similarly, while personal data may be collected and processed pursuant to the performance of a contract, if that contract is terminated or expires, the lawful basis for processing ends and the data must be deleted. On the other hand, data collected to comply with a legal obligation is likely exempt from the right of erasure.
Takeaway #5: Understanding the applicable lawful basis or bases for processing data — especially any applicable limitations or exceptions to data subject rights under that basis — and designing your system accordingly are critical to building GDPR-compliant blockchain solutions.
Avoiding a Collision
Ultimately, whether these two forces are on a collision course has yet to be determined. Avoiding a collision will require some favorable interpretations by EU regulators to ensure that the GDPR does not deprive the EU and EU data subjects of the benefits offered by blockchain technology.
A decision by EU officials that public keys used in appropriately designed blockchain solutions do not themselves constitute personal data would go a long way toward reconciling blockchain technology with the GDPR.
Even if such a determination is made, users of blockchain solutions should monitor whether technological developments, specifically in data storage or encryption, would affect or change such a determination. At this critical moment, it is imperative that blockchain firms understand the GDPR’s framework and take a proactive stance, developing technologies and legal positions that carefully account for the GDPR’s requirements.
As these two powerful forces continue to emerge and take effect, EU regulators and blockchain technologists alike would do well to remember that the GDPR and blockchain-based solutions share many fundamental goals, such as the right of individuals to control their own data and the minimization of data sharing. To demonstrate the compatibility of blockchains and the GDPR, these principles should be leveraged to the greatest extent possible in blockchain solution architectures.
The Final Word: With the right technical architecture and legal analysis, companies can harness the benefits of a blockchain while ensuring that data stored on a blockchain is compliant with GDPR requirements.
The views expressed in this article are those of the authors and not necessarily those of BTC Inc. or Bitcoin Magazine.
https://bitcoinmagazine.com/articles/op-ed-five-things-blockchain-firms-need-know-about-gdpr/
"Intellectual Property" was mentioned 17 times in this article.
1. "The strategy seeks to encourage enterprise-led innovation; to strengthen intellectual property protection; to create a favorable environment for innovation in science and technology (S&T); to attract S&T talents; and to improve the management and coordination of S&T".
2."Fifth, Chinese firms need to work closely with multinational corporations to build innovation capabilities, and it is in the interests of both parties to create a robust innovation infrastructure. But the multinationals may hesitate if they have to worry about intellectual property protection, exclusion from government contracts, newly introduced indigenous standards, rising domestic content requirements, and pressure to transfer technology to China in exchange for market access (Hout and Ghemawat 2010). Innovation policies need to establish greater trust between the government and foreign investors and stronger". institutions that validate and operationalize the mutuality of interests."
3. " In this context, an efficient patenting system that reflects the experience of the U.S. and European systems (both of which are in the throes of reform)115 and effective protection of intellectual property will expedite the growth of China’s innovation capabilities (Smeets and de Vaal 2011). Gwynne (2010, p. 27) writes that “even companies that possess legitimate Chinese patents have had problems defending their rights, because the scope for protection is much narrower. . . . And when it comes to enforcement, only [recently] have there been any large damage awards for infringement.”116 Legal developments in the form of specialized intellectual property courts is changing the picture.117 It is also undeniable that China has made substantial progress in protecting intellectual property rights in furtherance of its ambition to become an innovative country."
https://www.worldbank.org/content/dam/Worldbank/document/China-2030-complete.pdf
Xbox 360 chip can be hacked, claims researcher
Questions security of TPM processor used to protect smartcards, computers
http://news.techworld.com/networking/3211829/xbox-360-chip-can-be-hacked-claims-researcher/?olo=rss
Snackman,
6/30-7/2.
http://www.tc-conference.com/
Also, see the following:
Day 3, July 2(at the bottom-)
4. Trusted Computing Management Server
Hans Brandl, Infineon Technologies AG, Germany
Sorry if already posted.....
Atmel Releases First Integrated TPM/Biometric PC Authentication Solution Using the Softex OmniPass Security Client
http://biz.yahoo.com/prnews/080407/aqm502.html?.v=4
SAN FRANCISCO, April 7, 2008 /PRNewswire/ -- RSA Conference -- Atmel® Corporation (Nasdaq: ATML - News) announced today the dual support of its Trusted Platform Modules (TPM) and Biometric FingerChip® solutions within the Softex OmniPass PC Security Client. For the first time, PC ODMs and OEMs are able to obtain a fully integrated TPM and biometric fingerprint sensor solution from a single vendor which includes all hardware and an integrated authentication suite. Atmel's combination improves privacy, eliminates supply chain complexity, simplifies development, and reduces hardware pricing and software licensing costs.
Now, using OmniPass from Softex, Atmel offers a single supplier integrated solution for the PC market that provides the powerful benefits of both the TPM and FingerChip sensor. Atmel can supply OEMs/ODMs with different combinations of the TPM and FingerChip families to meet almost any convenience or security point. Solutions range from very low cost sensor-only options for convenient log on to chipsets with embedded biometric and security coprocessors and a TPM. The TPM offers the very highest security level, and a completely embedded and secure processing environment, ensuring complete privacy and security of a user's personal data, biometric data, and associated passwords and secrets.
Linking Biometrics and TPMs in PCs. TPMs are well known for their protection capabilities in today's PC architectures. Biometric fingerprint sensors are seeing explosive adoption in PCs due to their convenience for authentication and password replacement applications. When combined with the Softex OmniPass application, Atmel's TPM and FingerChip fingerprint sensor provide the core components for a wide range of secure solutions.
Multifactor Authentication. Linking Atmel devices provides a multifactor authentication architecture, resulting in improved security. Authentication is required at two levels; if valid information is provided, the TPM unlocks the PC based on your password, and the FingerChip unlocks the PC based upon your fingerprint.
Availability. This integrated Atmel and Softex solution is available now.
About Atmel
Atmel is a worldwide leader in the design and manufacture of microcontrollers, advanced logic, mixed-signal, nonvolatile memory and radio frequency (RF) components. Leveraging one of the industry's broadest intellectual property (IP) technology portfolios, Atmel is able to provide the electronics industry with complete system solutions focused on consumer, industrial, security, communications, computing and automotive markets.
About Softex
Softex Incorporated was founded in 1992, in Austin, Texas. The company is a leading provider of computer security products and services. Softex serves many of the top tier OEM companies, such as Lenovo, Samsung, IBM, Fujitsu, Hewlett-Packard, Motion Computing as well as hardware vendors such as APC, Synaptics, Ratoc and more .... Softex has expanded its international position with the 2006 opening of its Mumbai, India facility.
© 2008 Atmel Corporation. All Rights Reserved. Atmel®, logo and combinations thereof, FingerChip®, and others, are registered trademarks, or trademarks of Atmel Corporation or its subsidiaries. Other terms and product names may be trademarks of others.
Information:
For more information on Atmel's TPM products, go to http://www.atmel.com/products/embedded
For more information on Atmel's FingerChip products, go to http://www.atmel.com/products/biometrics
For more information about Softex, go to http://www.softexinc.com
Press Contacts:
Nancy Moore, Marketing Communications Manager
Tel: +1 719 540 -3262, Email Nancy.Moore@atmel.com
Helen Perlegos, Public Relations, Tel: +1 408 487-2963,
Email: hperlegos@atmel.com
--------------------------------------------------------------------------------
Source: Atmel Corporation
Good to see more press on TPM.....
http://www.tomshardware.com/2008/02/11/how_hardware-based_security_protects_pcs/
cslewis,
I experienced the same issue when I try to buy the D830 via the "Higher Education" link. However, if you go via the Small and Medium Business link, that problem goes away.
I am guessing that the "Higher Education" link has not been updated to include Vista resulting in the error.
Ispro, Sheldon, Doma,
On the other end of the spectrum (Bruce being a security expert, you have Laporte talking about encrypted drives http://www.twit.tv/ttg407 (this is fairly long broadcast but about 2/3 into it, he mentioned both Hitachi and Seagate's FDE). I believe his counterpart Steve Gibson (Security Now) talked about TPMs earlier. So the word is getting out and each day brings us closer to the tipping point.
He got the software encryption part right but looks like he is not promoting Seagate's FDE (since he is on PGP's board, didn't he used to be on Wave's ???)
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1129
How Does Bruce Schneier Protect His Laptop Data? With His Fists — and PGP
Bruce Schneier 11.29.07 | 12:00 AM
Computer security is hard. Software, computer and network security are all ongoing battles between attacker and defender. And in many cases the attacker has an inherent advantage: He only has to find one network flaw, while the defender has to find and fix every flaw.
Cryptography is an exception. As long as you don't write your own algorithm, secure encryption is easy. And the defender has an inherent mathematical advantage: Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do.
Unfortunately, cryptography can't solve most computer-security problems. The one problem cryptography can solve is the security of data when it's not in use. Encrypting files, archives -- even entire disks -- is easy.
All of this makes it even more amazing that Her Majesty's Revenue & Customs in the United Kingdom lost two disks with personal data on 25 million British citizens, including dates of birth, addresses, bank-account information and national insurance numbers. On the one hand, this is no bigger a deal than any of the thousands of other exposures of personal data we've read about in recent years -- the U.S. Veteran's Administration loss of personal data of 26 million American veterans is an obvious similar event. But this has turned into Britain's privacy Chernobyl.
Perhaps encryption isn't so easy after all, and some people could use a little primer. This is how I protect my laptop.
There are several whole-disk encryption products on the market. I use PGP Disk's Whole Disk Encryption tool for two reasons. It's easy, and I trust both the company and the developers to write it securely. (Disclosure: I'm also on PGP Corp.'s Technical Advisory Board.)
Setup only takes a few minutes. After that, the program runs in the background. Everything works like before, and the performance degradation is negligible. Just make sure you choose a secure password -- PGP's encouragement of passphrases makes this much easier -- and you're secure against leaving your laptop in the airport or having it stolen out of your hotel room.
The reason you encrypt your entire disk, and not just key files, is so you don't have to worry about swap files, temp files, hibernation files, erased files, browser cookies or whatever. You don't need to enforce a complex policy about which files are important enough to be encrypted. And you have an easy answer to your boss or to the press if the computer is stolen: no problem; the laptop is encrypted.
PGP Disk can also encrypt external disks, which means you can also secure that USB memory device you've been using to transfer data from computer to computer. When I travel, I use a portable USB drive for backup. Those devices are getting physically smaller -- but larger in capacity -- every year, and by encrypting I don't have to worry about losing them.
I recommend one more complication. Whole-disk encryption means that anyone at your computer has access to everything: someone at your unattended computer, a Trojan that infected your computer and so on. To deal with these and similar threats I recommend a two-tier encryption strategy. Encrypt anything you don't need access to regularly -- archived documents, old e-mail, whatever -- separately, with a different password. I like to use PGP Disk's encrypted zip files, because it also makes secure backup easier (and lets you secure those files before you burn them on a DVD and mail them across the country), but you can also use the program's virtual-encrypted-disk feature to create a separately encrypted volume. Both options are easy to set up and use.
There are still two scenarios you aren't secure against, though. You're not secure against someone snatching your laptop out of your hands as you're typing away at the local coffee shop. And you're not secure against the authorities telling you to decrypt your data for them.
The latter threat is becoming more real. I have long been worried that someday, at a border crossing, a customs official will open my laptop and ask me to type in my password. Of course I could refuse, but the consequences might be severe -- and permanent. And some countries -- the United Kingdom, Singapore, Malaysia -- have passed laws giving police the authority to demand that you divulge your passwords and encryption keys.
To defend against both of these threats, minimize the amount of data on your laptop. Do you really need 10 years of old e-mails? Does everyone in the company really need to carry around the entire customer database? One of the most incredible things about the Revenue & Customs story is that a low-level government employee mailed a copy of the entire national child database to the National Audit Office in London. Did he have to? Doubtful. The best defense against data loss is to not have the data in the first place.
Failing that, you can try to convince the authorities that you don't have the encryption key. This works better if it's a zipped archive than the whole disk. You can argue that you're transporting the files for your boss, or that you forgot the key long ago. Make sure the time stamp on the files matches your claim, though.
There are other encryption programs out there. If you're a Windows Vista user, you might consider BitLocker. This program, embedded in the operating system, also encrypts the computer's entire drive. But it only works on the C: drive, so it won't help with external disks or USB tokens. And it can't be used to make encrypted zip files. But it's easy to use, and it's free.
---
Bruce Schneier is CTO of BT Counterpane and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can read more of his writings on his website.
Ramsey2,
Thank you for taking the time to help me with this issue. The link you provided is of much help.
Now I want to make sure that I download the correct TPM driver since Broadcom and ST Micro are both included. So I should do my homework and doublecheck everything and download the correct driver and its associated TSS.
I will keep the board posted.....
Jeff
Unix,
Thanks for the link. I searched for Gateway M 465 E and for TPM drivers... only an IBM one showed up.
Jeff
A frustrating experience with the installation of Embassy Trust Suite version 6
I know that a Gateway ETS bundled version was supposed to be included but our IT department could not locate the CD and since I did not really mind "helping" with Wave's revenue, I went ahead and purchased from Wave's site the ETS v6 for $99. I have a Gateway laptop model M-465E.
Well, the installation did not go well. Apparently the ETS v6 did not have the TPM driver and the TSS and Wave's technical support directed me to Gateway.
The Gateway technical person did not have a clue about TPMs and said this was the first time someone asked for a TPM driver and TSS. I persisted and told her that there is such a thing call a TPM and finally she put me on hold and asked for her supervisor's help. Upon her return, she acknowledged that a Wave ETS CD should have been bundled with the laptop but because the college did not buy it at the point of purchase, we did not receive the CD.
I asked if I could buy the CD and she said no because they did not have one to sell! By this time, I was very frustrated being given this go around but the straw that broke the camel's back was when she said, according to her supervisor, I could buy the Wave bundled ETS CD at Best Buy!!!
So, does anybody have any suggestions? Does anyone know the TPM manufacturer (Atmel/Broadcome/Winbond/STM or Infineon) that Gateway uses? Maybe I can go direct to them and download the driver and maybe from NTRU the TSS?
Any help is appreciated
Jeff
CM,
I regularly use their podcasts as a resource teaching my classes (many professors are also doing that).
Many will be expose to TPMs as a result of this.
This is good.
Jeff
Apparently the DIDW folks mispelled his last name....
http://www.lacklandservices.com/tickets/nph-tickets.pl/000110A/http/conference.digitalidworld.com/20...
Pretty sure it is this guy....
Ed Velez, CTO, PEO, EIS, US Army
http://www.military-information-technology.com/PEO-EIS_2006.pdf
See pp 3
What happened to Ed Valdez? I was hoping to hear his comments rather than just Chris's.....
Phoenix Technologies Ltd. Introduces Trusted Security(TM) Suite to Eliminate Dangerous Endpoint Security Leaks; Software Extends Security Policy Enforcement to All Ports
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20060607005...
MILPITAS, Calif.--(BUSINESS WIRE)--June 7, 2006--Phoenix Technologies Ltd. (Nasdaq:PTEC) today announced Trusted Security(TM) Suite, an innovative endpoint security solution that combines device identification, port monitoring and endpoint auditing software to prevent data leakage and protect an organization's information resources and intellectual property from unauthorized access. Trusted Security Suite is a seamless, tamper resistant solution that uniquely identifies network attached endpoints and shields against network infiltration and data leakage by preventing unauthorized connections through physical ports such as USB, Firewire and PCMCIA.
Enterprise endpoints -- desktops and laptops -- have been swamped by new connectivity methods: conventional storage options such as CDs and DVDs, new devices including flash drives and MP3 players and advanced devices based on WiFi or Bluetooth technologies. These new connectivity options, with their ability to connect seamlessly and instantaneously with enterprise endpoints, increase security dangers such as information leakage, data theft and malicious penetration.
"Today's connected organizations must proactively safeguard endpoints against an increasing number of security threats," said Kort van Bronkhorst, vice president, corporate marketing, Phoenix Technologies Ltd. "Trusted Security Suite provides the industry's first comprehensive endpoint security layer to address this dynamic computing environment. Locking security policy to the device, regardless of its proximity to the network, is an imperative for today's mobile workforce -- a notification of data leakage, after the fact, isn't going to help CIOs sleep at night."
Unlike current solutions which require purchase of nonintegrated products from different vendors at a significantly greater cost, the Phoenix Trusted Security Suite is an integrated solution based upon proven cost-effective technologies.
With Trusted Security Suite, Phoenix extends the trusted computing concept of 'a chain of trust' from the Windows operating system to the ports on the endpoint. The solution includes three key security products:
-- TrustConnector(TM) 2 creates a unique identity for each device that cannot be altered or stolen, preventing attackers from accessing protected systems even if they have valid IDs and passwords. The software further reduces the risk of data and intellectual property theft by protecting keys for certificate-based applications and binding them to device-specific profiles. Even in the unlikely event that the keys are stolen, they would not work on another device. TrustConnector also enables device access policy enforcement to reduce the risk of threats and vulnerabilities from unknown devices accessing enterprise networks and threatening to compromise data and interrupt business operations.
-- TrustTracker(TM) performs reliable, rapid scanning of all network endpoints and attached devices to provide complete visibility of all devices connected to network endpoints and to show vulnerability gaps in enterprise security practices. The integrated software queries all endpoints on the network to find every USB, PCMCIA and FireWire device that has been connected in the last six months and assess exact endpoint vulnerabilities including at-risk ports and TrustConnector usage.
-- TrustShield(TM) enforces administrator-defined port access policies in enterprise endpoints. The software offers granular policy enforcement and monitors and controls all endpoint ports and interfaces from a central location in real time. Policies can be assigned to any domain, group, computer or user in the organization. The TrustShield client agent protects endpoints, operates at the kernel level and is virtually impossible to circumvent.
TrustTracker and TrustShield are powered by Safend(TM).
Pricing and Availability
Trusted Security Suite is available immediately through resellers at a base price of $49.95 with volume discounts. For more information, visit www.phoenix.com.
About Phoenix Technologies Ltd.
Phoenix Technologies Ltd. (Nasdaq:PTEC) is a global market leader in device-defining software that assures endpoint confidence, from the start. The company first established dominant industry leadership 26 years ago with BIOS software, currently has over one billion products deployed and continues to ship in over 100 million new systems each year. From this unique foundation of core system level expertise and firmware offering the highest levels of reliability, Phoenix has created a portfolio of innovative software products that simply and easily identify and restore devices, thereby ensuring unparalleled endpoint security and availability.
With a focused commitment to the highest levels of customer confidence and satisfaction, Phoenix serves enterprise and government channel partners, ODMs, OEMs, system builders and ISVs by enabling them to decrease time to market, differentiate their products, create value, increase profits and lower cost of ownership. Phoenix is headquartered in Milpitas, California, with offices worldwide in global business and technology centers. For more information, visit www.phoenix.com.
Phoenix, Phoenix Technologies and the Phoenix Technologies logo, TrustShield, TrustTracker and TrustConnector, are trademarks and/or registered trademarks of Phoenix Technologies Ltd. All other trademarks are the property of their respective owners.
Safend is a registered trademark and is a trademark of Safend. All other trademarks are the property of their respective owners
Is this new?
http://www.s-ox.com/feature/detail.cfm?articleID=1704
Trusted Computing Can Make Financial Services Transactions More Secure
2006-03-28 12:00:00.0 CDT
By Steven Sprague
The Sarbanes-Oxley Act is designed to protect investors by improving the timeliness, accuracy and reliability of corporate data and financial disclosure information. In the financial services arena, regulatory authorities, financial services providers and end users are also eager to improve the accuracy and reliability of Internet-based financial services transactions to protect consumers from the growing problem of online financial fraud. Enterprises, government and consumers are increasingly demanding a computing environment that is more trusted, private, safe and secure.
In a recent high profile action, the Federal Financial Institutions Examination Council (FFIEC) recently issued guidance suggesting financial institutions offering Internet-based financial services should use more effective methods to authenticate the identity of customers. The FFIEC noted the continued growth of Internet banking and other forms of electronic banking activities and the increased sophistication of threats to those environments have resulted in higher risks for financial institutions and their customers.
Industry analysts in late 2005 reported that on-line banking customers were using on-line banking services less frequently due to concerns over data security. The uncertainty over the continuing inability to reliably determine authentic digital identities continues to undermine many financial transactions.
Cases of financial cyber-fraud, identity theft and data losses from large financial services companies such as Bank of America, Wachovia and Citigroup highlight the fact that valuable data continues to be at risk. And other companies that amass customer financial information, such as the December news that the timeshare unit of Marriott International Inc. reported the loss of 206,000 customers' sensitive personal data, shows that most companies are indeed at risk.
Data breaches include the loss of sensitive employee and customer profiles, social security data and credit information and outright identity theft. Information is lost through mishandling, theft, unauthorized access to IT networks and malicious attacks.
More than one million federal employees have had personal data lost or stolen in 2005, including those of the Federal Deposit Insurance Corp. The Chairman of the FDIC, Don Powell, was quoted that "Identity theft, particularly account hijacking, continues to grow as a problem for the financial services industry and for consumers. Our review illustrates that ID theft is evolving in more complicated ways and that more can and should be done to make online banking more secure."
The information technology industry in particular is responding to significant electronic security challenges by encouraging the development and delivery of a range of new, open standard, hardware chip-based security solutions, delivering improved electronic authentication applications, and a kind of electronic safe or vault that can be of great value in the financial services industry.
These efforts are being stimulated by the formation of the Trusted Computing Group (TCG), an association of more than 110 global IT leaders.
The TCG is a not-for-profit organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices. TCG specifications will enable more secure computing environments without compromising functional integrity, privacy, or individual rights. The primary goal is to help users protect their information assets (data, passwords, keys, etc.) from compromise due to external software attack and physical theft on platforms including not only PCs but servers, peripherals, mobile devices, the network and related infrastructure.
Leading members of the TCG include AMD, Dell, HP, IBM, Intel, Microsoft, Motorola, Sony, Sun Microsystems, STMicroelectronics and Wave Systems. The members span the IT industry from silicon vendors to network services providers. Industry developers, manufacturers and service providers use TCG specifications to build products that protect and strengthen computing platforms against software-based attacks. The new hardware based security building blocks defined by the TCG specifications provide a new design approach with new trusted computing capabilities being integrated as a foundation of the user devices.
In contrast, traditional older generation security approaches have taken a “moat” approach which attempted to create electronic boundaries or firewalls that mirrored organizational boundaries. However, today’s new web services are aimed at making boundaries virtual so that customers and suppliers can have ready access to important information which resides inside corporate information systems. In addition, the security of today’s systems is based almost exclusively on software, which has proven to make them highly vulnerable to malicious attacks from the network. Finally with the increased mobility of devices for access at all times in all places the threat of physical theft and loss has seen a corresponding increase.
TCG standards today are based on a special purpose security chip, integrated on the motherboard of the PC, called a Trusted Platform Module (TPM). These security chips use an open standards approach which enables the implementation of a standardized security ‘building block’ as the anchor of trust within the PC. A TPM, a secure key generator and key cache management component, enables protected storage of encryption keys and authentication credentials for enhanced security capabilities. This is in contrast to today’s weaker security solutions that rely on software to hide ‘secrets’, build firewalls, and protect encryption keys and digital.
With encryption key protection in the hardware of the Trusted PC, what can Trusted Computing do for the financial services industry? First, you can solve several of the most nagging issues in data security today, delivering access control through stronger user authentication, verifying the person attempting to enter the network, and stronger device validation, including who owns the machine attempting to enter the network.
Financial services companies and government agencies remain vulnerable to malicious attack when unauthorized users authenticate and spoof themselves and their PC platforms into insecure IT networks. As the FDIC points out in its latest report, access to accounts through user name and passwords has proven to be a weak link in the identity management process. Software-only login and sign-in processes have proven to be easily breached. Strong user authentication through multifactor authentication and platform validation make malicious access attacks far more difficult.
This directly addresses the FFIEC concern that single factor authentication (like a password), when used as the only access control mechanism, is potentially inadequate for high-risk transactions involving access to customer information or the movement of funds to others parties.
The trusted computing TPM chip can safely store user credentials such as digital certificates, and provide superior protection of existing passwords. With your private encryption keys stored in a security chip – a “safe,” users may now be strongly authenticated and the risks from compromise by network attacks of viruses and Trojan horses can be dramatically lessened. Protected storage of keys allows for the creation of strong, complex passwords to further strengthen the authentication process.
Besides strongly authenticating who you are, the TPM security chip can also enable strong authentication of the device you are using, including whether it has a configuration which has not been comprised and meets the requirements of the network it is attempting to access. Trusted PCs are widely available today, but eventually other trusted devices such as cell phones and PDAs will also contain these advanced security features.
In most insecure systems today, configuration settings are stored in system memory and are vulnerable to attack. With Trusted PCs, the settings are used to create attestation identity keys that cannot be used unless a value is the same at the time of use as when the key was created. This helps to determine if the trusted state configuration has been altered. If it has been changed, network administrators can deny access.
Working with this dramatically improved secure hardware environment, software companies like Wave Systems can offer a range of applications and services for Trusted PCs that provide immediate value and return on investment to address pressing security concerns. Additionally, companies like Wave are beginning to provide key management services and the trust infrastructure components that IT professionals require for managing Trusted PCs in the enterprise or government environment.
Just as financial services companies go to great lengths to protect monetary assets, financial assets today are most often in data form and can be better protected in the TPM environment.
Access control and authentication can be implemented with computing technology that works within the recognized trusted computing framework. This offers a best practices implementation that is a foundation for the automation of security. Trusted computing can also be useful for meeting the new regulatory compliance requirements for audits and tracking in this industry.
Trusted computing has a role within the banking organization but its more important role may be between the bank and the customer. Trusted computing provides a technology platform that is expected to be a standard feature in most PCs and mobile devices. The effect of a standard is to reduce the number of proprietary implementations and ensure interoperability and availability. This will enable the banks to have a pervasive and integrated solution for strong authentication which does not require the issuance and management of external hardware tokens or keys. The TPM is projected by analysts to be available on equipment in the consumer’s home, their laptops, and mobile devices. Analysts are projecting as many as 50 million trusted PCs shipped by 2006 and double that the following year. As customers have access to integrated strong authentication technology as part of their new PC purchases the banks will have the opportunity to significantly expand the online services that will support and use strong authentication.
The benefit of trusted computing technology is that the trusted platforms become part of the identity equation as well as enabling a user to establish the appropriate usage policies for their home PC, work PC and mobile devices. If logging onto a bank from a kiosk, even with a portable identity token, the bank may issue the consumer a limited access to services based on the lower level of security of the public kiosk. When a consumer logs on from home, however, he or she can have access to a full service branch since the bank will be able to verify the trusted configuration of specific consumer PC. This type of model exists today where an ATM only provides limited access and banks have mini branches and full service branches. By enabling strong authentication the banks digital web service offerings can grow substantially while simultaneously reducing the risk of fraud.
The IT industry’s trusted computing thrust today is one of the few open standards, strong authentication mechanisms that can meet the needs of financial industry. As the banking industry evaluates different solutions for stronger authentication, as recommended by the FFIEC guidance, the industry should consider making sure that whatever solutions are selected include trusted computing.
Online security is a complex topic and there are many technologies and choices. However, today there are easy steps that financial services institutions and consumers can benefit from both immediately and long term.
Make sure all new PCs procured are trusted PCs which include TPM security hardware and software
• Enable all online services to support multifactor authentication with the TPM as a ‘trusted’ identity token vEnable all internal networks to support platform authentication using the TPM, eventually adding TPM Integrity Measurements with attestation for assuring that only valid configurations can gain to access the network
• Ensure all data on client and server platforms is stored encrypted on the hard disk
• Use machine identity as part of information policy to integrate hardware location and the resulting physical security
• Limit the number of records that can be retrieved from a database by a specific terminal, to prevent mass theft of records
• Promote consumer use of trusted computing in the purchase of their next PC, even if online services are not ready.
• Trusted PCs are shipping today so financial services organizations should let customers know they will be supporting the technology
• Ask all of your networking and service vendors to support trusted computing within their platforms
Summary and Next Steps
The transition to Trusted Computing can be easy both for individual users as well as enterprises. As existing PCs are replaced on their typical three or four year replacement cycle, Trusted PCs with TPMs should be specified. The TPM will become even more important as time goes on with software such as Microsoft’s new Vista operating system specifying it as a prerequisite feature. Robust applications software and trust infrastructure servers are now available leveraging trusted computing, which allow both individuals and enterprise users to immediately activate and benefits from their TPM enabled PCs for new levels of security, including the multi-factor authentication required by the FFIEC.
Winmagic To Develop First Full-Disk Encryption Software To Fully Integrate With Infineon's Trusted Module Platform (TPM) Security Chip
Published 13th March 2006
Integrating WinMagic’s SecureDoc Full-Disk Encryption With Infineon’s TPM Chip Makes It Simple To Protect All Data On Desktops And Easily-Stolen Laptops
Mississauga, Ontario, March 13, 2006 – WinMagic Inc. (www.WinMagic.com), the innovative leader in full-disk encryption, today announced at CeBIT (Hall 7, Booth A20) that its SecureDoc solution will be the first full-disk encryption software to fully integrate with the Trusted Platform Module (TPM) authentication and secure data storage chip from leading TPM security chip provider, Infineon Technologies – making it simpler and more cost effective to combine the benefits of full-disk encryption with positive user authentication and secure key storage within a complete security solution.
The Trusted Computing Group (TCG), founded by an alliance of high-profile computer companies, including Microsoft, Intel, IBM, Sun, and Hewlett Packard, standardized and specified the TPM chip as the main trust and security component for the next generation of secure computers and other platforms. Already installed in over 20 million desktops, laptops, and hand held devices worldwide, the innovative TPM chip essentially acts as a trusted key store, which can be used for secure authentication and code integrity. With the TPM chip activated, a user can be positively authenticated to their computer during logon with a simple Personal Identification Number (PIN), and can also take advantage of improved security features, such as the ability to limit the number of log-in attempts, which were previously only available by purchasing a multi-factor authentication device.
“Today’s organizations understand that it is impossible to guarantee the security of internal, partner, and customer data without encrypting the entire hard drive on both desktops and easily-stolen mobile devices – which the FBI estimates are responsible for half of all network breaches,” said Thi Nguyen-Huu, President & CEO, WinMagic. “Already recognized as the only full-disk encryption provider to integrate with all major smart cards, tokens, biometric devices, and PKI authentication technologies at pre-boot, WinMagic will now be able to provide organizations with a simple and cost-effective method of seamlessly integrating full-disk encryption with the next-generation security of Infineon’s TPM chip.”
Utilizing Public Key Cryptographic Standards PKCS-11 from the ground up, SecureDoc’s extreme adaptability enables an easy and reliable interface with Infineon’s TPM chip for key handling. The SecureDoc line has earned an impressive list of validations, including NIST Cryptographic Module Validation and FIPS 140-1 Level 2, and is scheduled to obtain the Common Criteria Evaluation Assurance Level 4 (EAL-4) certification.
http://www.justloadit.com/pr/5744
http://www.newsfactor.com/story.xhtml?story_id=0120001EB72C
HP Teams with China on Massive Grid Project
By Jack M. Germain
March 6, 2006 11:00AM
"HP is a leader in grid technologies and continues to invest in research and development efforts to advance grid technology, where application services execute on shared I.T. resources," said Meichun Hsu, director of HP Labs China. "We are proud to play an important role in a collaborative and secure grid-computing environment for this visionary undertaking by the Ministry of Education."
Hewlett-Packard has joined forces with the Chinese government to develop the ChinaGrid, which, when finished, will be one of the world's largest grid computers with a full 15 teraflops of computing power. It will consist mostly of HP ProLiant and HP Integrity servers.
HP officials said Monday that the grid initiative by the Chinese government will extend I.T. resources and services to thousands of researchers and the more than 290 million students in the country's university system.
The ChinaGrid facility, which opened its doors during the last week of February, is running under the direction of the China Ministry of Education.
"The success of ChinaGrid is due to the collaborative efforts of technology leaders like HP," said Hai Jin, ChinaGrid's chief scientist and the dean of the School of Computer Science and Technology at Huazhong University.
"HP Labs has been working closely with the ChinaGrid team to develop one of the world's most advanced grid monitoring systems," he said.
Under Development
A team of researchers from the new HP Labs in Beijing and various Chinese universities is currently developing monitoring, measurement, security, and visualization mechanisms for ChinaGrid. When completed, the system will be known as the ChinaGrid National Monitoring Center.
"HP Labs researchers are working with ChinaGrid researchers to solve important grid-technology challenges," said Sara Murphy, HP Grid Program Manager.
She added that the grid will serve several purposes, including powering a Web-based language-instruction application at a Hong Kong university, a suite of bioinformatics applications, and a videoconferencing system.
According to Murphy, the team initially will focus on two primary areas. The first is the automated monitoring of the grid to reduce the need for operator intervention. The second area of focus will be on trusted computing for enhancing the grid's security.
Liberty Alliance to Speed Wide-Scale Adoption of Strong Authentication Solutions
http://www.prnewswire.co.uk/cgi/news/release?id=157765
NEW YORK, November 8 /PRNewswire/ --
- Consortium forms global expert group to help organizations meet new industry demands for universal strong authentication
The Liberty Alliance Project, a global consortium for open federated identity and Web services standards, today announced the formation of a global, cross-organizational expert group focused on developing open specifications for interoperable strong authentication. Liberty's new Strong Authentication Expert Group has been created to speed the worldwide deployment of interoperable strong authentication and to help organizations meet new industry-wide demands for universal strong authentication solutions.
The Strong Authentication Expert Group (SAEG) leverages the work Liberty Alliance has been doing for the past year in defining clear market requirements for appropriately deploying strong authentication in a federated network. The group will expand this work beyond federation to build ID-SAFE (Identity Strong Authentication Framework), an open framework to allow strong authentication solutions such as, hardware and software tokens, smart cards, SMS-based systems and biometrics to interoperate across organizations, networks and vertical market segments.
"With increasing industry demand for better protection against online fraud and identity theft, there can be no question that the time for universal strong authentication has come," said Timo Skytta, vice president of the Liberty Alliance. "By forming the Strong Authentication Expert Group, Liberty is committing to rapidly deliver well defined and highly deployable solutions to help organizations meet new and pressing requirements for stronger authentication."
On October 12, 2005, the US Federal Financial Institutions Examination Council (FFIEC) issued new guidance for banks on online authentication, which acknowledges that passwords alone are insufficient as the only means of security to protect a consumer bank account. This new guidance calls on banks to implement better ways to authenticate the identity of customers using online products and services. While governments and organizations around the world have moved to implement similar requirements, financial institutions based in the US are expected to achieve compliance with the new FFIEC guidance by the end of 2006.
Liberty's ID-SAFE will help all organizations more easily meet the challenges in implementing solutions consisting of more than usernames and passwords to strengthen online authentication. "Gartner predicts that by 2007, 80 percent of organizations will reach the 'password breaking point' and will need to strengthen user authentication with alternative security methods," said Ant Allan, research vice president at Gartner. "Businesses need to put roadmaps in place now that will allow them to phase out passwords and replace them with stronger authentication methods."(i)
Strong authentication requires at least two forms of identity authentication for accessing a network or online application. Liberty's ID-SAFE will offer standards-based online identity protection to allow organizations to deploy interoperable strong authentication faster, more cost-effectively and on a wider scale.
Widely deployed strong authentication based on ID-SAFE will provide organizations with opportunities to focus more on developing new business lines and e-commerce offerings while being able to rely on universal strong authentication that is easy to deploy and manage. Consumers will benefit from ID-SAFE with increased protection against identity theft and fraud, a seamless user experience across networks and advanced privacy protection based on individual consent and control.
"The lack of strong authentication in the online space is demonstrably one of the most significant causes of identity theft," said Michael Barrett, co-chair of the Liberty Alliance Identity Theft Prevention Group, and VP Security/Utility Strategy at American Express. "The recent FFIEC guidance on strong authentication will likely change how organizations manage online identity threats, but initiatives for addressing these issues need to be coordinated via agreed industry standards -- and that's where the Liberty Alliance has a strong track record of fast delivery."
Liberty is modeling the ID-SAFE technical development process on the successes Liberty has had in rapidly driving open identity specifications for federated identity management (Liberty Federation Framework, ID-FF) and Web services (Liberty Web Services Framework, ID-WSF) resulting in extensive deployments and implementations worldwide. Working in a collaborative, non-proprietary and multi-vendor environment, the group expects to release the first version of ID-SAFE specifications in 2006. Liberty Alliance regularly incorporates relevant work from other open standards bodies into its specifications and welcomes these organizations to participate in the development of ID-SAFE.
Liberty Alliance Strong Authentication Expert Group Member Quotes
Axalto -- "For 25 years Axalto has been committed to market expansion through the encouragement of open standards. We are excited to work through Liberty Alliance and the new Strong Authentication Expert Group to promote a framework that makes digital identities and strong authentication easier to use. The formation of the SAEG closely matches our internal initiatives for Axalto's Protiva Strong Authentication product line and we believe efforts of the SAEG are key to ensuring cost effective, flexible solutions to secure the future of our digital world." -- Marvin Tansley, Vice President Products, Axalto
BMC Software -- "BMC Software is committed to working with the Liberty Alliance Strong Authentication Expert Group to promote strong authentication interoperability for federated identity management solutions. With rise of identity theft and regulatory requirements for better identity verification and authentication, more and more organizations are interested in strong authentication solutions. Delivering secure, interoperable solutions that leverage Liberty standards help our customers establish trust in their environments and better leverage their federated identity management solutions." -- Doron Cohen, CTO of the Identity Management Business Unit, BMC Software
Diversinet Corp -- "As consumers around the world become more concerned with the repercussions of identity theft, strong authentication is quickly becoming a basic requirement. Diversinet is very pleased to support the formation of the Liberty Alliance Strong Authentication Expert Group, and we look forward to the opportunity to contribute our knowledge and experience in consumer-scale strong authentication gained from our MobiSecure soft tokens and over-the-air provisioning services." -- Stu Vaeth, Chief Security Officer, Diversinet Corp.
Falkin Systems LLC -- "Without trusted, reliable strong authentication that is user centric and controlled, the reality of the Internet as the prime channel of and for commerce, society and government will never come to pass. Positive verification and validation rather than simply authenticating possession of a token and knowledge remains the single most important solution to securing value, reputation, and safety. Industry's solutions must put identity safely and accurately back in the user's control. We at Falkin Systems believe that only through cooperation with the end-user community and with each other will the solution vendors solve the complex and future defining problem of digital identity and authentication. The Liberty Alliance remains as one of the main collaboration community to solve this and provide a language, grammar, and vocabulary to digital identity. We look forward to working with our peers to solve today's most elusive problem." -- Rob Marano, CTO, and Dr. Simon Ben-Avi, Chief Scientist, founders of Falkin Systems LLC, provider of the Universal Authentication Platform (TM)
Financial Services Technology Consortium (FSTC) -- "FSTC is pleased to support the Strong Authentication Expert Group's efforts to develop technology standards and practices. The SAEG and its efforts dovetail perfectly with FSTC's Security Standing Committee and its Better Mutual Authentication initiative currently underway, involving 25 financial institutions, technology providers, and industry organizations. FSTC shares the goal of making it easier for consumers and corporations to adopt improved authentication practices." -- Zachary Tumin, Executive Director of FSTC
HP -- "Interoperability of multiple authentication mechanisms in federated environments is a key enabler for security and privacy in online commerce, corporate remote access and secure mobile access. Enterprises in various industries across the world are facing the challenge of inadequate and weak identification technologies, brought to the forefront by the recent increase in phishing, identity theft, security and privacy breaches. Furthermore, enterprises are requiring strong privacy and data controls for regulatory compliance purposes. HP fully supports the formation of the Strong Authentication Expert Group (SAEG) within the Liberty Alliance and is pleased to be part of this market-driven team of customers, vendors and technology partners dedicated to define a secure, standards-based industry framework that enables interoperability." -- Todd DeLaughter, VP/GM of Management Software Business at Hewlett-Packard Co.
Intel -- "Intel recognizes the critical need for computing, communication, health, and entertainment platforms to support a variety of strong authentication mechanisms in all market segments, from eCommerce to corporate networks, in a way that users can easily understand and manage. Liberty is well-positioned to appropriately balance the competing requirements of secure access and privacy to create an ID-SAFE framework that will permit providers to offer, and users to access, services with confidence." -- Raj Hazra, Ph.D., Director, Systems Technology Lab, Intel Corporation
Kantega AS -- "Being a strong supporter of Liberty Alliance's open standards for federated identity, Kantega is exited to join Liberty's Expert Group for Strong Authentication. Kantega sees the development of open standards in this area as an important next step in developing federated identity for high security applications such as online banking. We look forward to contributing to this work based on our broad experience in strong authentication and federated identity." -- Gunnar Nordseth, CTO, Kantega AS
Oracle -- "Key to the Liberty Alliance's success is its ability to bring together enterprises and vendors to develop open standards. Today, organizations of all sizes and industries are demanding a standards-based means for improving protection against identity fraud and theft. Oracle looks forward to working with members of the Strong Authentication Group in order to meet the rising demand for standards supporting strong authentication." -- Roger Sullivan, Vice President, Identity Management, Oracle
RSA Security -- "The formation of this Expert Group brings great promise for the truly open dialogue on strong authentication that the industry is looking for. The Liberty Alliance is unique in comprising a broad cross-section of end-users and vendors, and - as a founding board member with a long-running commitment to industry standards - we applaud the Alliance's efforts in bringing these leading organizations together. We look forward to productive participation." -- Burt Kaliski, vice president of research at RSA Security and chief scientist, RSA Laboratories
US Department of Defense / Defense Data Manpower Center -- "The Department of Defense is committed to working with industry partners to strengthen the assurance for federated identities and web services. The creation of the Strong Authentication Expert Group (SAEG) by the Liberty Alliance Project signals a recognition of the need for this increased assurance in all aspects of American life. In its Common Access Card program, the DoD has already made a great commitment to a strong identity smartcard credential. Working with industry to help define stronger identity assurance standards will help protect our service members, their families and all American citizens." -- Greta Lehman, Director, Identity Authentication Office, Defense Manpower Data Center
VeriSign, Inc. -- "For strong authentication to achieve its true potential, fresh approaches are needed in the development and deployment of two-factor authentication services. Two years ago, VeriSign, along with several industry partners, sought to address the need for an open standards-approach with the creation of the Initiative for Open AuTHentication. VeriSign applauds the Liberty Alliance for also recognizing this need, and we look forward to contributing to the ultimate goal of an open, global and federated authentication service that benefits all Internet users." -- Kevin Trilli, director, product management, Authentication Services, VeriSign.
Wave Systems -- Wave Systems has been involved with the Trusted Computing Group (TCG) since its inception working to define open specifications for standardized security building blocks. Wave develops trusted computing software and services solutions supporting the TCG standards. Today, one of the specifications with broad adoption is the Trusted Platform Module (TPM), an implementation done as a silicon chip which is being shipped in millions of PCs today. Products developed using the TCG specifications help answer the questions of 'who are you' and 'can I trust you', for both the user and their network devices. The Strong Authentication Expert Group within the Liberty Alliance provides an excellent industry forum to define how Liberty's federated identity and web services standards can work with the TCG security specifications to provide complementary and interoperable approaches for assuring both the identity and integrity of people and machines." -- Lark M. Allen, EVP - Business Development, Wave Systems
About Liberty's Strong Authentication Expert Group
Some of the members currently participating in the Strong Authentication Expert Group include American Express, Axalto, BMC Software, Diversinet Corp., Falkin Systems LLC, Financial Services Technology Consortium, HP, Intel, Kantega AS, NEC, NTT, Oracle, RSA Security, US Department of Defense / Defense Data Manpower Center, Vodafone, VeriSign, Inc. and Wave Systems. Membership in the Strong Authentication Expert Group is open to all Liberty sponsor and board members interested in helping to drive interoperable strong authentication.
About the Liberty Alliance Project
The Liberty Alliance Project (http://www.projectliberty.org) is a global alliance of companies, non-profit and government organizations developing open standards and business, policy and privacy guidelines for federated network identity. Federated identity offers businesses, governments, employees and consumers a more convenient and secure way to control identity information and is a key component in driving the use of e-commerce, personalized data services and identity-based Web services. Liberty specifications are deployed worldwide by organizations that include American Express, AOL, BIPAC, General Motors, France Telecom, Nokia, NTT and Sun Microsystems. Membership is open to all commercial and non-commercial organizations. A full list of Liberty Alliance members, as well as information about how to become a member, is available at www.projectliberty.org.
(i) Gartner Research "Passwords Are Near the Breaking Point" by Ant
Allan. December 6, 2004.
CONTACT:
Russell DeVeau
Liberty Alliance Communications
+1-718-263-1762 - New York
+1-908-251-1549 - Mobile
russ@projectliberty.org
AOL IM: devcommruss
Web site: http://www.projectliberty.org
Intel Roadmaps Do you have a pass for the Embassy?
Sorry if posted.
http://www.theinquirer.net/?article=26335
Trusted Computing waves its spooky fingers again
Intel Roadmaps Do you have a pass for the Embassy?
By: INQUIRER staff Wednesday 21 September 2005, 10:54
CHIP FIRM Intel is preparing to bundle software with its "executive series" boxed motherboards that relies heavily on the concept of Trusted Computing, the cunning hardware and software scheme that is part of the Trusted Computing Alliance.
We haven't heard much about Trusted Computing for the last year or so from Intel and the other vendors, but that doesn't mean it's given up on the concept. Far from it.
TPMs - trusted modules - are part of the "executive series" of boxed mobos, known as the D945GTPLKR, the D945GCZLKR, and the D945GNTLKR. These SKUs (stock keeping units) will support iAMT, and each includes a TPM.
The software bundled with the "executive series" boards includes Wave Systems' Embassy Trust Suite, Farstone Restor IT Gold, Farstone Virtual Drive, Webex, LAN Desk System Manager, and Kingsoft WPS Office Storm. µ
See Also
Wave is the doorman at the Trusted Computing Alliance ball
Intel confirms future PC products to use Wave TCPA
Trusted Computing Platform becomes real in Intel Springdale
Awk,
Carl's leadership role within NSF in particular CyberTrust may be complementary to TC. He is well-known and respected in academia, along with David Faber. Will have to see what develops next.
http://www.isr.umd.edu/ISR/faculty/FacultyBios/Landwehr_bio.html
Awk,
Wow, nice work!
Describing and defining Trusted Computing
Greetings All,
I have been a long since 99' and mostly a lurker (from RB and now here). Met Snackman and others during a Wavx Chicago meeting a few years back.
I need help and suggestions from this board. I am currently completing my dissertation titled "A Model of Trusted Computing in Higher Education" and about to deploy a web-survey asking faculty, students and administrators their views on TC. However, my preliminary feedback tells me that participants would be well-served if the definition of TC is clearly laid out.
Therefore, if I may, I like your suggestions and TC links. The goal/trick is to present sufficient information from credible sources. I have discussed this already with Brian B. and Lark A. from Wave. Lark was so kind to respond in depth, acknowledging the difficulty in describing and defining TC in concise and meaningful ways. Some of us here are quite comfortable with this technology and understand it, in varying depth. There are however many that still are not familiar with TC. The more we can do to familiarize others, the better off we are to realize the pervasive deployment of TC. I plan to send out about 2,000 emails for this survey.
The players are busy defining the space. Wave/Dell/TCG/Industry are focusing on enterprises. Wave is obviously wanting to get into government and rightly so. Higher education/academia as "an industry" is quite huge, a $4 billion entity. Depending on what happens in enterprises/governments, TC in higher education may not be far behind!
This board is AMAZING. The collective efforts of Awk/Doma/Bbigtim/Rachelelise/Weby/2bSteality/Vacationhouse/24601/Barge/Snackman/Wahoograd/Eamonnshute/C2 (the list is too long to acknowledge everybody) are very much appreciated, especially in those dark days.
So as not to "clog" this forum, feel free to forward your info or links to wavx888@yahoo.com
Blessings,
Jeff
OT Doma
Thanks for the update. Check your email shortly.
Wavx888
Doma/Awk. Found the link that has the screenshots...post 2518.
Still like to know what "ODM" stands for.
Wavx888
Doma, you are amazing. Thanks.
2 questions:
- what does "ODM" stands for? (pp13)
- I am interested to view the "screen shots" starting page 16. It is missing...any ideas?
Wavx888
Great Snackman, the confusion is over.
Did you mention earlier about lifetime membership for IHUB? I looked and was able to find info regarding annual dues of about $90...not lifetime.
Wavx888
OT Eamonnshute/Zen 88
"8" in Cantonese (dialect of Mandarin/Chinese) means prosperity!
The Chinese habitually pay thousands of dollars to have their auto license plate with such combinations (168/118/888).
Eamonnshute/Tony, I am sure you see lots of those in Singapore/Hong Kong !
Wishing WAVX lots of PROSPERITY!
Wavx888
Greetings,
I am a long time investor (1999) and a lurker!
I recently completed all my course work and now focusing on my dissertation.... hopefully on Trusted Computing!
May I have your email..... I am 'struck' on how TC is/will affect education/distance learning/ecommerce/security in higher education etc. I am so impressed with your DD/knowledge and appreciate your input.
My email is wavx888@yahoo.com
Jeff Teo