Trusted computing and DRM: Friend or foe?

A respected mentor of mine, Steven Northcutt of SANS, once told me, "Eat the watermelon and spit out the seeds." It's an appropriate metaphor: There is often truth buried in statements and concepts we disagree with.

The concepts of trusted computing and DRM (digital rights management) often require a watermelon approach. Trusted computing is the idea that integrity and authentication -- and at times encryption -- are built into all parts of a computing system. It's built into the hardware, into the CPU, and into supporting motherboard chips. It's supported by the OS and implemented all the way into the software application layers. Even the network and all the related network devices have authentication and trust built in. Default authentication and encryption are built in to every process, every computing cycle bit to terabyte.

Great discussions on trusted computing goals are covered by the Trusted Computing Group. If you really want to be a serious computer security professional, take the time to read and understand TCG's Trusted Platform Module, Trusted Network Connect, and PC Client specifications.

Trusted computing, if implemented correctly, is a beautiful thing. But can we trust our trusted vendors to be trustworthy? If the applications we install to our trusted platforms contain untrustworthy code, the whole exercise is for naught.

As for DRM, I support its overall objectives. Content providers and copyright holders should be able to charge for their content if they so choose -- as long as they are following commonly accepted laws and traditions. It's the American way.

But DRM is often swung as a sword by a drunken warrior blithely unaware of the damage he is causing. What's got my dander up this week is Sony's incredibly bad DRM decision making.