Wave Systems Corp. (fka WAVXQ)

[cooler]

wavoid4e, Here's another related article.

http://browser.grik.net/news.cnet.com/8301-1009_3-10079593-83.html

At the bottom of the article Steven Sprague makes the following comment with replies following.

************************************************

Comment by skswave October 31, 2008 6:38 AM PDT

To eliminate the risk to Trojans all that needs to be done is to have the banks enable support for the Trusted Platform Module. TPMs have been shipped on over 275 million PCs and the volume is still increasing. This technology would allow for a secure bonding between that PC and the bank that is based on highly reliable technology. The PC industry has provided the capability but it is now time for the Financial services industry to join the parade. Once a PC is bonded to the service provider ,the consumer will have a secure channel to conduct business. The secure authentication is based on secret keys held in hardware that are specifically created for that individual account. The user gets a better experience and the bank has a high level of assurance that the user is who they say they are. It is impossible for a trojan to Steal the secret keys held in the TPM as the hardware would have to be compromised which is not possible with software. Ask your financial institution when they will begin supporting the TPM and ask your employer as well. There is no reason to continue to rely on Username and Password. With over 140 companies supporting the TPM as an industry standard hardware component, it is a great vendor neutral Standards based solution to security.

Steven Sprague
Wave Systems Corp.

**************************
Following are replies (warning: ignorance abound)
***************************
by Vegaman_Dan October 31, 2008 7:53 AM PDT

TPM's are an interesting idea, but hardly the solution. They already have forked in versions which are not backwards compatible. If you have your account locked to one TPM, then you cannot access it with another computer. If you ever have your system board changed, you lose access as well as the TPM is part of that system board. Even doing things like updating the BIOS can wreak havoc.

It's a nice idea, but the real world practicality just isn't there yet.

****************
by Hunnter2k3 October 31, 2008 7:57 AM PDT
This is simply delusional.
There is no such thing as a 100% secure system.

If a trojan gets onto a computer, it is capable of getting any information from any device wired to it.

The only way to prevent something like this would be a embedded OS that takes control over the OS below whenever something tries to access the TPM hardware, and whether to allow or disallow.
No chance in that happening any time soon.

******************
by Imalittleteapot October 31, 2008 8:13 AM PDT

Wait, like so how does that work exactly? Like, if my computer breaks and then I get a new one it's a different TPM, but I can't log into the website with my old TPM to switch over to the new TPM because my old TPM is broken and I can't authenticate. How do I log in at work and my mom's house if the bank only trusts my TPM? What about my laptop? How do I get my gigantic desktop PC in that little slot in the ATM machine? What if I don't even have a computer but just want to check my balance at a friend's house?

Anyway, the way this trojan works, I don't think it'll help. With a slight mod it could just serve up another page that looks almost like your bank's website and just do a standard phishing attack. Even though your bank may not normally ask for account information or pin number the fake site may anyway. Many people will still fall for it. Just like when your ISP says we will never ask for your password, but as soon as people get a fake email asking for it they reply back with their password. It's just stupid human nature.

Now it's another form a security. Yes it would stop some attacks, but people will never use it because people will lose the ability to log in from any machine. Is it dumb for them to be logging into their bank account from just any old machine? You betcha! Will stupid people complain anyway if they can't do that? You betcha! If people lose convenience they will not use it. The best we could probably ever do is use smartcards that plug into the computers USB port to auth websites and a USB port on ATM machines and cash registers. It's different, but it's similar enough to what people already do. They could be authenticating with public/private key technology where the private key never has to leave their handheld device.

Now, maybe I just don't get TPM, but that's the problem. Apparently TPM isn't very intuitive either let alone it's other flaws. Like when it started out as another failed DRM technology to restrict what I can and can't do with my own machine. Not so I could trust it, but so big companies could trust my machine to take orders from them instead of me in case I'm pirating their stuff. I really don't want anything to do with that even if it's simply because of how it got started in the first place.

***************************
by Imalittleteapot October 31, 2008 8:17 AM PDT

Oh and one more thing, even if we all had and used smart card devices instead of credit cards and username/password, even though I might trust that technology, I still wouldn't use it on a machine I knew had a trojan because once it's compromised it's compromised. You can no longer trust anything that machine tells you.