The biggest security threat: You

Who's the biggest threat to computer security? A foreign spy? A malicious hacker? Maybe neither.
Written by ZDNet Staff, Contributor

According to an encryption expert from Intel, just as potent a threat could be none other than you -- the ordinary computer user. "This is a new focus for the security community," said David Aucsmith, security architect for chip maker Intel. "The actual user of the PC -- someone who can do anything they want -- is the enemy."

His comments came at the Intel Developers Forum here Thursday as the company outlined its security plans. The discussion included Intel's controversial chip ID registration technology in the new Pentium III microprocessor.

Aucsmith said that more and more, software companies and content creators are targeting users as a major threat to security. The reason? With a few keystrokes, users could freely distribute "bits that have value," said Aucsmith -- copying such content as software, DVD video and other valuable data.

Aucsmith pitched the problem as one in which Intel's processor serial number scheme can help. "Security enforces trust," he said. "We want to ID the machine that holds this data to be able to protect it."

In January Intel disclosed that it had added a 64-bit serial number to its processors that -- along with a previous 32-bit CPU ID -- can be transmitted over the Web as a means of proving the user's identity, acting sort of like a vehicle ID number.

Intel is playing up the e-commerce benefits of the technology, while privacy advocates fear the Big Brother implications.

On Thursday, in fact, the privacy and consumer group Centre for Democracy and Technology joined the protest. The organisation revealed that it would file a formal complaint with the Federal Trade Commission citing Intel for dishonest trade practices.

With such turmoil around the chip ID, such a revelation of the industry's view of users might be construed as impolitic at best. "Intel originally tried to convince users that the processor serial number would make e-commerce transactions safer," said Jason Catlett, president and CEO of privacy information firm Junkbusters.com.

"The real reasons have nothing to do with protecting the user. They want to allow for better copy protection and, possibly, tracking on the Internet."

Such tracking technology in computers is not new. Already, makers of software for workstations and servers -- which can cost in the tens of thousands of dollars -- have used machine-specific IDs to essentially "bond" the machine and the software together.

The issue over putting a technology such as processor ID into all PCs may be the catalyst in getting consumers to join the discussion over who own personal information. "Companies like Intel are all for restricting information when that information is a patent or copyrighted material," said Catlett. "But when it comes to their customers' data, they suddenly want free access."

In fact, Intel's Aucsmith agrees ... to an extent. "He who owns the bits sets the security policy," he said. "But if we are talking about medical data -- who owns that -- then there is a big debate coming."

That doesn't mean that Intel is backing off, however. During another presentation, Michael Glancy, general manager of Intel's platform security division, told developers to expect the chip ID in all the company's products soon. "You should anticipate that this will be used all across the major product lines," he said.

His statements were not just limited to PCs, either. Internet appliances and portable devices based on Intel's StrongARM processor will soon have the technology as well. "Those devices will need technologies like this to be more secure," he said.

In the end, unless something comes from the privacy protests, Intel will be putting the processor ID technology everywhere. "We have announced this feature with the Pentium III," said Glancy. "We intend to ship it."

Editorial standards