• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

IBM Laptops

I

imported_goku

Diamond Member
Since I have heard that IBM makes great laptops (And from own experience) can anyone tell me when IBM started to add their "Embedded Security Subsystem" AKA TCPA chip im thier laptops or thier last laptop BEFORE they started to add the Embedded Security Subsystem. Because I dont want any TCPA applications or hardware on my system, nor do I want to support it. The Model should be the equavalent of their Thinkpad T series or the Thinkpad T series. Thanks!
 
On the T-series, they started installing them on the T-23's on up.

They didn't start installling them as a standard option on every SKU# until the T42.

Hence you can find relatively new ThinkPads without the chip - THough just about every wireless model from the factory came with the chip.

You state:

"Because I dont want any TCPA applications or hardware on my system, nor do I want to support it."

I have extensive experience with this chip. I sense your concern may be one of paranoia?? Which if it is it is unfounded. There is a lot of here-say about the TCPA and what their goals were with their standards-not neccessarily this chip. Over 75% of what was proposed as TCPA standards were thrown out, and it was most of these proposed implementations that alarmed the privacy community. In fact, if anything the ESS on the IBM's Ensures that your privacy is protected far, far more than without it.

Here's some basics:

1. The chip is enabled or disabled throught the bios. Even enabled, the OS can not see it. You need to install companion software in order for it to be of any use.
2. IBM does not preload any applications that work with the chip.
3. The TCPA is gone with the wind...and has been replaced by the TCG.

The chip when coupled with the IBM software.... Or the HP, or even the Intel software exists at a base level to ensure that only the correct user is accessing the machine or documents. (Yes, HP is shipping systems with the chip onboard now and Intel is marketing whitebox boards with it onboard.)

1. It can replace the windows password login with the IBM CSS login -adds another layer to the WIndows GINA.

2. Can encrypt documents at 256 AES, either manually or in an automatic mode.
3. Can at $$$ option can fully encrypt drive, and run from that drive.
4. Can work hand in hand with Silicon based biometrics, RF access badges(Xyloc), GEMs Smart Cards, and replace the functionality of RSA tokens.
5. Will store on chip, the biometric fingerprint, digital certs, wireless certs, and more... THey are not out on the hard drive where they are vulnerable.
6. AS stated, in select wireless environments, it can make the wireless connection more secure.
7. Has a password manager feature.
8. Supports Tivoli Access Manager for working hand in hand with that product to further secure inside network access rights.
9.. Much, Much more...........

It's not really a consumer solution as of yet. It's really meant to be installed and managed at the corporate IT level to enhance their security and to leverage a tool that enables them to force compliance with security policy.

Please write back with any additinal questions.
 
Yes, I guess you can say it is paranoia. But mostly it just irritates me when companies try to take more control over your pc or beable to "track you" like the processor Serial Number on the Penitum IIIs. I know right now the TCPA Hardware isn't detected by Windows and will only work if there is software to utilize it but, I recently heard that the next Windows Operating System is going to incorperate TCPA compliant hardware into the operating system which gives me more of an incentive to NOT support IBM/TCPA/TCG. Please if you can, let me know more about TCPA (TCG) because it's a relatively new subject for me.
 
Originally posted by: WackyDan
On the T-series, they started installing them on the T-23's on up.

They didn't start installling them as a standard option on every SKU# until the T42.

Hence you can find relatively new ThinkPads without the chip - THough just about every wireless model from the factory came with the chip.

You state:

"Because I dont want any TCPA applications or hardware on my system, nor do I want to support it."

I have extensive experience with this chip. I sense your concern may be one of paranoia?? Which if it is it is unfounded. There is a lot of here-say about the TCPA and what their goals were with their standards-not neccessarily this chip. Over 75% of what was proposed as TCPA standards were thrown out, and it was most of these proposed implementations that alarmed the privacy community. In fact, if anything the ESS on the IBM's Ensures that your privacy is protected far, far more than without it.

Here's some basics:

1. The chip is enabled or disabled throught the bios. Even enabled, the OS can not see it. You need to install companion software in order for it to be of any use.
2. IBM does not preload any applications that work with the chip.
3. The TCPA is gone with the wind...and has been replaced by the TCG.

The chip when coupled with the IBM software.... Or the HP, or even the Intel software exists at a base level to ensure that only the correct user is accessing the machine or documents. (Yes, HP is shipping systems with the chip onboard now and Intel is marketing whitebox boards with it onboard.)

1. It can replace the windows password login with the IBM CSS login -adds another layer to the WIndows GINA.

2. Can encrypt documents at 256 AES, either manually or in an automatic mode.
3. Can at $$$ option can fully encrypt drive, and run from that drive.
4. Can work hand in hand with Silicon based biometrics, RF access badges(Xyloc), GEMs Smart Cards, and replace the functionality of RSA tokens.
5. Will store on chip, the biometric fingerprint, digital certs, wireless certs, and more... THey are not out on the hard drive where they are vulnerable.
6. AS stated, in select wireless environments, it can make the wireless connection more secure.
7. Has a password manager feature.
8. Supports Tivoli Access Manager for working hand in hand with that product to further secure inside network access rights.
9.. Much, Much more...........

It's not really a consumer solution as of yet. It's really meant to be installed and managed at the corporate IT level to enhance their security and to leverage a tool that enables them to force compliance with security policy.

Please write back with any additinal questions.
Click to expand...


Wow, great post WackyDan! I have an HP NC8000 with this chip in it (I think). I haven't enabled it on my system due to the piss poor HP documentation. I'm afraid I'll encrypt everything and then get locked out. I can't really afford that right now. But I may try it in the future.
 
[/quote] Wow, great post WackyDan! I have an HP NC8000 with this chip in it (I think). I haven't enabled it on my system due to the piss poor HP documentation. I'm afraid I'll encrypt everything and then get locked out. I can't really afford that right now. But I may try it in the future.[/quote]

Well, HP isn't fully up to speed as of yet. Dell will have the chips eventually, matbe in another six months to a year.

Yes, the reason why it's not a comsumer type option is the risk of doing something you'll regret later.

I've made several posts on the ESS and CSS setup here at AT.... and always advise RTFM before screwing around with it. 🙂

It's a great solution.
 
Originally posted by: goku2100
Yes, I guess you can say it is paranoia. But mostly it just irritates me when companies try to take more control over your pc or beable to "track you" like the processor Serial Number on the Penitum IIIs. I know right now the TCPA Hardware isn't detected by Windows and will only work if there is software to utilize it but, I recently heard that the next Windows Operating System is going to incorperate TCPA compliant hardware into the operating system which gives me more of an incentive to NOT support IBM/TCPA/TCG. Please if you can, let me know more about TCPA (TCG) because it's a relatively new subject for me.
Click to expand...

You can start here Trusted Computing Group .

Again... while the term TCPA is thrown around quite a bit..... It's now a defunct organization, replaced by the TCG above.

And again.... Conspiracy theories abound about what this chip can do. Most of it is hogwash. In another few years, you really won't have too much choice about it as it is already an industry standard.

One of the things that they would like to do with the chip is the ability (in the corporate IT environment) to do software inventory/license compliance. This would be a huge tool for corporate IT, It would have absolutely no bearing on consumers.

Remember.... that the chip can be enabled/disabled through the bios setup, AND that is part of the TCG specification on the chip.

As a corporate tool, it's a huge enabler, granting much stronger security, and policy enablement farther reaching than what can be done traditionally.

Are you going to be making this a personal purchase or is this for work??? Sounds like a personal purchase.

Again... review the TCG site, be informed, do your research... But Take the conspiracy/big brother theories of the ESS with a grain of salt while you do so.
 
Don't you think that eventually they could make it automatically enabled in the bios and can't remove it? Also what about the theories with controlling your machine remotely or forcing you to use software that isn't TCG compliant? Remember I am keeping in mind this would happen slowly overtime.
 
Originally posted by: goku2100
Don't you think that eventually they could make it automatically enabled in the bios and can't remove it? Also what about the theories with controlling your machine remotely or forcing you to use software that isn't TCG compliant? Remember I am keeping in mind this would happen slowly overtime.
Click to expand...

"forcing you to use software that isn't TCG compliant?"

Not sure I understand the full intent of that statement.

THe Chip will continue to evolve, as will the software. I'm hoping to get more info on the next rev of the chip sometime by year end. I really think it woul dbe years before it got invasive if at all.

You can buy a ESS system today with little fear of those possibilities. The chip will have to evolve more to enable those things.... Further more, remote control is more easily and cost effectively implemented via software alone, vs a hardware/software combination, and remote control and monitoring is with us today - Just ask my co-workers when I go out and log the phone numbers they are using to dial in, or ip and ISP. Or even the software inventory I already perform on their ThinkPads to ensure they are in compliance with policy. I know the minute they install a game, web cam, or file sharing app, and can look through each system to determine what they are using it for in regard to work or personal use. I can even send a remote hard disk wipe command to their systems. 🙂
 
I tried it out on my previous T40

But it's basically worthless...
All you have to do to defeat it is boot into safe mode and everything is there for the taking.
 
Originally posted by: eriqesque
I tried it out on my previous T40

But it's basically worthless...
All you have to do to defeat it is boot into safe mode and everything is there for the taking.
Click to expand...

Not if you set it up properly.

Your key archive for example as well the admin keys are to be stored on CD and locked in a safe--->as the keys are already on the chip, and the key archive is for a failsafe.

You probably didn't use automatic file and folder encryption, something that was a manual process back when you tried it on the T-40. You won't crack 256bit AES. If you can then you are a god. 🙂

As stated, it's about controlling authentication layers and how users autenticate, not only locally to the machine, but also data, as well authentication to network resources... try doing that all properly under safe mode. On a home network?? Yes, mostly... On a corporate network??? Hardly.

It's a complex piece of software, more complex then it may look using just the setup wizard.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top