Should Intel decide what software we can run?

Intel has a brilliant new idea to make our computers safe: dictate what software we're allowed to use.

Intel has a brilliant new idea to make our computers safe: dictate what software we're allowed to use.


Ars Technica reports on Intel's walled garden plan to put A/V vendors out of business. It starts out sounding tentatively very positive about plans announced at the Intel Developer Forum by Paul Otellini.

The idea appears to be very similar to the way Apple manages the iPhone App Store, where every single piece of software in it has to be approved and certified by Apple before it is made available to the public -- except it is meant to apply to every x86 architecture platform Intel produces in the future, most likely including a future replacement for whatever computer you use to read this article. Intel is pitching its own plan with its marketing apparently focused purely on security for now, talking about trusted vendors' software being the only software allowed to run on its platforms. The idea seems to be that a "default deny" approach to allowing software to run on the system would be preferable to the current "default allow", with only certified software offerings being able to run on the system.

While the initial careful boosterism eventually falters, the assumption inherent in the tone of the Ars Technica article never even questions the validity of such an approach to security, with Intel acting as final arbiter of All Things Trustworthy. If you know anything about real security, though -- where real security is defined by the needs of the user, and not the business model of the vendor -- your first thought upon reading the article should probably be something like, "I wonder if I should plan to move all my hardware to AMD processors."

While considering the implications of such a plan, some unpleasant questions arise.

  1. Does Intel really expect me to forget why there's no such thing as a trusted brand? The intrinsic principles of corporate responsibility ensure that the moment sufficient market gains can be had to justify it to the board members, the security of the end user will be sold for a few cents here and there. Even long before that point, though, conflicts of interest and the siren song of monopoly will lead to questionable decisions being made about who is or is not allowed to run software on the system.
  2. Is Intel unaware why Android is stealing [market] share from iOS? Even before we got a look inside Apple's insane developer agreement, before many developers took that as a sign that greener pastures awaited within the Android market, smartphone application developers had chafed at the App Store approval process. As the EFF put it last year, More Freedom Necessary as Top Developers Abandon iPhone. A particularly poignant farewell to developing for the iOS platform came from a Mobile Orchard public announcement: I'm Abandoning iPhone Development. Mobile Orchard To Stop Publication. While Apple has backed off from some of its most recent developer-hostile policies, a lot of damage has already been done.
  3. Has Intel failed to notice that Apple's attempt to maintain control of its hardware through litigation has lost its legal legs? This year, the EFF won an important victory when the Copyright Office and Librarian of Congress affirmed that jailbreaking [and rooting] smartphones is finally legal, for now, upsetting Apple's civil litigation clout in the battle against people who want to use the hardware they buy as they see fit. It did not take long before smartphone jailbreaking and rooting became a commodity service. The implications for a similar attempt at a lock-down on the Intel x86 platform are obvious.
  4. Would it even be possible to run open source software on Intel's new, managed hardware platform? The Ars Technica article takes a dismissive tone where this question is concerned. It does say that Intel's proposed "walled garden" approach will "probably be rejected outright by many Linux and open-source users," but buries it under positive spin and otherwise ignores the situation as if the five or six open source software users in the world, all of them living in their parents' basements, will not be able to raise much of a fuss. While it is likely that the biggest projects such as Firefox and Ubuntu would get a pass (at a price paid by their supporting commercial organizations, of course), it gets worse: could you even run a program you yourself wrote on the system under Intel's new plan? For that matter, one must wonder whether it would even be possible to use arbitrary, physically compatible hardware with the system, given the example of MS Windows XP Service Pack 2's notorious cantankerousness when confronted with hardware drivers that had not been "certified". When the driver in question is for the SATA interface to which the boot drive is connected, tears and hysterical laughter may well ensue.
  5. Getting right to the heart of the matter, there is one question that stands head and shoulders above the others in importance: Would Intel's plan even make our systems more secure? It is of critical importance to determine whether it would even do any good before debating whether the trade-off would be worth it. There is reason to doubt that Apple manages to provide any more secure a software ecosystem for iOS than Google does for Android with its much freer Android Market. In fact, with a conscientious and knowledgeable user, Android can be the far more secure option of the two. Intel seems to have forgotten that effective security is most often achieved when you work with end users -- not against them -- to improve security. Furthermore, while the Ars Technica article makes favorable statements about the similarity between how Website encryption works and how Intel's plan seems likely to work, it is difficult to ignore the fact that in the end the characteristics of the Web's standard PKI model prompt us to question whether the TLS/SSL Certifying Authority system is a scam.

With any luck, this new and more restrictive sequel to the Trusted Platform Module -- another ill-conceived "security" scheme that restricts the legitimate user more than malicious security crackers and their ilk -- will be stillborn. The last thing we need in our computing lives right now is hardware that deigns to decide for us what we are allowed to do with the computer, limiting us to a short list of vendor-approved software. What are the chances, for instance, that we would be allowed use potentially security-enhancing software like TechRepublic contributor Sterling Camden's getlessmail?

Those chances would likely lie somewhere between slim and none.