UQ Students should read the Disclaimer & Warning
Note: This page dates from 2005, and is kept for historical purposes.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<!--
Copyright © 2004 Ned Martin
http://copyright.the-i.org/
Magic.
-->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="Description" content="Description." />
<meta name="Keywords" content="key, words" />
<title>COMP3502 - Assignment 1 - Trusted Computing</title>
<style type="text/css">
<!--
.border {
border: 1px solid #000000;
padding: 1ex;
}
.smaller {
font-size: 90%;
}
.references {
font-size: 90%;
margin-left: 3em;
}
.references p {
margin: 0px;
padding: 0px;
}
-->
</style>
</head>
<body>
<h1>COMP3502 – Assignment One – Trusted Computing </h1>
<p><a href="#spec">Specification</a> | <a href="#scheme">Marking Scheme</a> | <a href="#submission">My
Submission</a> | <a href="#results">My Results</a> </p>
<p id="spec">You have just graduated, and been employed by “Business Communications
Consulting” as an IT expert. Your boss, Director of Technical Systems, has been
asked to provide the board of directors with a report about the Trusted Computing
Platform Alliance, so that the board can determine whether there are any implications
for its strategic plan. Your boss is too busy to do it himself, and delegates
the task to you. He gives you the following guidance: </p>
<div class="border">
<p>Find information about the Trusted Computing Platform Alliance, including </p>
<ul>
<li>the assets it will protect; </li>
<li>the threats that it addresses; </li>
<li>the mechanism that is to be used, and briefly how it works; </li>
<li>how well the mechanism will counter the threat; </li>
<li>how much the mechanisms could frustrate legitimate users; and </li>
<li>possible ethical, social, economic and/or political effects. </li>
</ul>
<p>Make sure you use at least three different sources of information, and around
1500 words should be enough for the level of detail I’m after. </p>
</div>
<p>As you are keen to demonstrate your critical judgement and communications
skills to your new employer, you will include an appendix (no more than 600
words) that describes how you have evaluated your different information sources: </p>
<ul>
<li> Describe how you judge how objective and authoritative an information source
might be. (You will need to provide at least one or two references for your
“critical thinking” sources here.) </li>
<li> Describe what “peer reviewed” means in the context of the scientific literature,
and comment on what this might mean for readers of that literature. </li>
<li> Give examples of TCPA information that may be misleading, deceptive, or
biased, and explain why you think this may be the case. </li>
<li> Give an example in which one source would classify something as a threat,
where another source would classify the same thing as legitimate use. Decide
whether there is a single “correct” truth, or give examples of different points
of view where each one may be correct.</li>
</ul>
<h2>Notes: </h2>
<div class="smaller">
<p>At least one of the sources you use must have been through a “peer-reviewed”
process, </p>
<p>meaning that it is published in a scholarly journal or presented at an international
(or international-quality) conference. Do not attempt to use Google to locate
this sort of information: use library databases instead. Librarians will be
very helpful, unless you are in a rush – talk to them early if you are not
familiar with the databases. </p>
<p>You are required to describe a source that has a very low standard of objectivity
and authority. It should be very easy to find one yourself using Google, but <a href="http://www.againsttcpa.com/what-is-tcpa.html">http://www.againsttcpa.com/what-is-tcpa.html </a>is
one example. </p>
<p>In the field of security, we are faced with attackers who may try to influence
our behaviour (or our computers’ behaviour) for their own purposes. In some
cases, this concept could be used to describe some of the information sources
we may come across. It is important to be able to determine how appropriate
(accurate, objective, unbiased, true) this information might be. Some students
may not be used to criticising other written material, but that will be is
necessary in this assignment. Criticisms should be objective and factual, and
should themselves satisfy criteria you use to judge others. </p>
<p>When counting words, you should not include the executive summary (or abstract),
references, appendices, or lengthy quotations. </p>
<p>There is no particular referencing format required, but the one you select
should be applied accurately and consistently. The library can provide details
for suitable schemes. As a reminder, there are marks allocated for references. </p>
<p>You should structure your report logically. You should use headings where
they will help the reader. It is not necessary to structure your report strictly
according to the details your boss asked for, although you may judge that to
be appropriate. </p>
<p>The word count suggestion is not a “hard limit”. You can go over or under
a little if necessary. However, be aware that communication skills are very
important. If you were, for example, to submit a 5000 word assignment, you
may be demonstrating an inability to follow instructions or an inability to
communicate clearly and succinctly. </p>
<p>This is an individual assignment, not one to be done by groups. Locating
information is an important skill that is assessed in this course. While it
would be acceptable to give another student help in using the library databases,
the actual task of finding, selecting, and judging individual information sources
must be done by each student. </p>
<p>You are required to read information from a number of sources, understand
a topic, and then formulate your own words to answer the particular questions
asked above. Where you can find no better way to express an individual idea
than the words used by one of your sources, you should enclose those words
in quotation marks, and refer to their source. Anything less is plagiarism. </p>
<p>Students are reminded of the School’s policy on academic misconduct, which
is available on the web site, and referenced in the course profile. </p>
<p>I hope that if you produce a good assignment, you will not object to having
it published on the web site (your choice as to whether your name is included
or not). </p>
<p>I do not want this assignment to be “guess what the teacher wants”. If you
have questions about the assignment, look first at the course objectives, and
then ask me questions either privately or in the newsgroup. </p>
<p>Students should not expect any assistance from the lecturer or tutors on
this assessment in the last 4 days before it is due in. </p>
</div>
<h2 id="scheme">Marking Scheme </h2>
<table border="1">
<tr>
<td><p>Description of assets, threats, use, and misuse. (Demonstrate correct
interpretation and application of security vocabulary, and adequate comprehension
of literature. Demonstrate identification of frustration of legitimate use.) </p></td>
<td>4 marks </td>
</tr>
<tr>
<td><p>Brief description of mechanism(s) the system will use to counter the
threats. (Has an adequate explanation of why the threat will no longer succeed,
or be less likely to succeed.) </p></td>
<td>3 marks </td>
</tr>
<tr>
<td><p>Social, ethical, economic, political consequences. (Demonstrates an
awareness of related social etc. issues, and provides a logical argument
as to what effects this system may have, and why.) </p></td>
<td>2 marks </td>
</tr>
<tr>
<td><p>Information sources. Located at least one peer-reviewed & at least
one poor-quality. You should use at least four independent sources on the
TCPA, and at least one for critical thinking/web page evaluation. </p></td>
<td>2 marks </td>
</tr>
<tr>
<td><p>Referencing. (Reference list contains necessary information, chosen
formatting is used consistently.) </p></td>
<td>2 marks </td>
</tr>
<tr>
<td><p>Criteria for evaluating sources identified and applied 3 marks </p></td>
<td>3 marks </td>
</tr>
<tr>
<td><p>Criticism of poor source 2 marks </p></td>
<td>2 marks </td>
</tr>
<tr>
<td><p>Report structure (logical flow) 2 marks </p></td>
<td>2 marks </td>
</tr>
</table>
<h2 id="submission">My Submission</h2>
<hr />
<h1>Trustworthy Computing</h1>
<h2>Introduction </h2>
<p>Computers are fast becoming prevalent across all walks of society, bringing
increased benefits, and increased risks. As society as a whole becomes more
dependant on computing, and entire businesses depend on computers for their
very existence, entrusting them with their most critical information and tasks,
computing has become a trusted cornerstone of business, military and government.
This increased reliance on computing has increased interest in trustworthy computing,
and several bodies have formed to investigate, formulate and release what they
term as “trustworthy computers”. We will be investigating one of these, the <em>Trusted
Computing Group </em>, or <em>TCG </em>, and their model for <em>trustworthy
computing </em>.</p>
<h2>The Trusted Computing Group </h2>
<p>The <em>Trusted Computing Group </em>[<a href="#_edn1" id="_ednref1">1</a>]
(TCG) is a not-for-profit organisation formed in early 2003 to “ <em>develop,
define, and promote open standards for hardware-enabled trusted computing and
security technologies, including hardware building blocks and software interfaces,
across multiple platforms, peripherals, and devices. </em>[<a href="#_edn2" id="_ednref2">2</a>]”
The TCG builds upon an earlier organisation, The <em>Trusted Computing Platform
Alliance </em> (TCPA), formed by Intel in 1999[<a href="#_edn3" id="_ednref3">3</a>]
as an alliance between several large computing companies, most of whom are now
members of the TCG. In fact, nearly all the large names in computing are members
of the TCG[<a href="#_edn4" id="_ednref4">4</a>]. The TCPA has recognized the
TCG as its successor[<a href="#_edn5" id="_ednref5">5</a>] and contains many
of the same member companies, and the terms TCPA and TCG are frequently used
interchangeably to refer to one or both of the organisations, the specifications
they have released, or even trustworthy computing in general. I will be using
TCG to refer only to the Trusted Computing Group, including the TCPA they have
largely superseded. The term TC, for <em>trustworthy computing </em>, forms
a more apt generalisation of the field, and is the term I shall be using to
refer to trustworthy and trusted computing in general.</p>
<h2>Trustworthy Computing </h2>
<p>The stated purpose of the TCG, and TC in general, is to increase the level
of trust we, as computer users, can place in our computers. Both “trust” and
“trustworthy” are often misused words, so it is worth clarifying their meaning
in the context of TC. [<a href="#_edn6" id="_ednref6">6</a>] explains trust
as “ <em>the expectation that a device will behave in a particular manner for
a specific purpose. </em>” Using this definition, we can further say that a
trustworthy computer would be a computer that was trusted, and did not betray
that trust, and that TC is the field concerned with creating trusted and trustworthy
computers.</p>
<h2>How TCG works </h2>
<p>The TCG has released a non-normative architectural overview[<a href="#_edn7" id="_ednref7">7</a>]
giving an outline of the various TCG specifications, their expected use, and
some possible implications. [<a href="#_edn7">7</a>] explains the basics of
how the current TCG specifications would be implemented in both hardware and
software, which we will summarise below. It is worth noting that the concepts
behind this technology are not new, with several large companies, such as IBM
and Microsoft, having their own, often slightly incompatible, implementations.
IBM has actually shipped hardware implementations[<a href="#_edn8" id="_ednref8">8</a>]
predating both the TCG and the TCPA.</p>
<h3>Inherited Trust </h3>
<p>The core concept behind the TCG TC model is <em>inherited trust </em>. Perhaps
the easiest way to understand this is through an analogy. Assuming I can trust
myself, I can then delegate trust to some friend that I trust, and they can
in turn delegate trust to a trusted friend of theirs. This works both ways,
if someone else trusts me, and I then delegate trust to my friend who in turn
passes it on to someone else, we have a <em>chain of trust </em>. The obvious
problem with this is that the entire process is vulnerable should the chain
of trust be broken at any point – but ignoring this problem for a moment, we
can see that there will be a root of trust at some point. Somewhere, there has
to be a person who is implicitly trusted, to pass on their trust to the next
person, and so forth. This <em>root of trust </em>, and protecting the chain
of trust, has been the biggest problem in trust-based computing, and hence the
main problem TCG attempts to overcome.</p>
<h3>The Trusted Computing Root </h3>
<p>The physical aspect of TCG begins with a <em>Trusted Platform Module </em>,
or TPM[<a href="#_edn9" id="_ednref9">9</a>], which is typically a hardware
device physically attached to a computer in such a manner that it is infeasible
to transfer it intact to another computer. This device incorporates several
components, which together form a <em>trusted root of computing </em>[<a href="#_edn10" id="_ednref10">10</a>],
namely the root of trust for storage (RTS)[<a href="#_edn11" id="_ednref11">11</a>],
root of trust for reporting (RTR)[<a href="#_edn12" id="_ednref12">12</a>] and
root of trust for measurement (RTM)[<a href="#_edn13" id="_ednref13">13</a>].
Before delving further into the actual workings behind these, let us explore
the concepts a little. </p>
<p>The TPM contains, along with the RTS, RTR and RTM, a small portion of non-volatile
storage, some platform configuration registers (PCR), a random number generator,
and some encryption engines – along with a permanently stored and unique key.
Using a typical personal computer as an example[<a href="#_edn14" id="_ednref14">14</a>],
when first powered on, the TCM starts and the RTM, which is implicitly trusted,
verifies the computer’s basic operating system loading code by storing a <em>digest
of the code </em> in the update-only RTS, which in turn verifies the operating
system itself, which can then verify an application. This chain of <em>transitive
trust </em>[<a href="#_edn15" id="_ednref15">15</a>], which relies on each component
verifying the authenticity of the component (or code) above it before passing
control to it, with the initial component being implicitly trusted, allows the
entire system to vouch that an application is running in a <em>known trusted
state </em> – and is the main purpose of TCG. It is important to note that this
does not prevent the machine from entering a non-trusted state[<a href="#_edn16" id="_ednref16">16</a>]
- it just prevents the machine from lying about its state. What the software
chooses to do once it has verified the system as trustworthy is, as we shall
see later, quite controversial – but actually outside the scope of the TCG specifications
themselves.</p>
<h3>Data Integrity </h3>
<p>The other major concept that TCG provides for is data binding, signing and
sealing[<a href="#_edn17" id="_ednref17">17</a>]. <em>Data binding </em> prevents
an encrypted message from being recovered by anyone other than the intended
recipient, using standard public-key systems – the major difference being that
the keys are stored within the TPM, and hence largely protected from fraud. <em>Data
signing </em> is essentially the same as binding, except that it only verifies
the authorship and integrity of the data, without encrypting it. <em>Data sealing </em>,
which is one of the most powerful features of TCG, takes binding and signing
one-step further, and uses the current verifiable state of the machine to encode
or sign data, thus verifying that the data was created on a system running in
a specified and verifiable state. One of the more controversial aspects of this
feature ensures data can only be opened on a specific machine, when it is in
a specified state, allowing verifiable platform specific control over data for
the first time. </p>
<p>The third major feature of TCG allows for remote attestation – the verifiability
of communications between two or more remote entities, using techniques similar
to those used for data signing. This feature has caused some serious privacy
concerns, as we shall see below.</p>
<h2>How TCG Doesn’t Work </h2>
<p>TC has caused quite some paranoia, with many opponents claiming sometimes
far-fetched and unlikely scenarios[<a href="#_edn18" id="_ednref18">18</a>],
often based on incorrect or partial information[<a href="#_edn19" id="_ednref19">19</a>].
Paranoia notwithstanding, TCG does raise some interesting questions and concerns.
Many concerns are about <em>privacy </em>, as each TCP ships with a uniquely
identifying key. Surprisingly, the TCM is specified as “tamper evident”, not
“tamper resistant”, which could be expected to result in private keys being
stolen and used by others[<a href="#_edn20" id="_ednref20">20</a>]. To make
matters worse, the specification does not provide an efficient method to <em>revoke
credentials </em> once they have been issued[<a href="#_edn20">20</a>], making <em>key
theft </em> a serious identity theft concern.</p>
<h3>Privacy </h3>
<p>Another concern relates to the top-level key issuing body, known as a <em>certificate
authority </em> or CA. To protect the privacy of a TCG platform, a third party
CA is trusted to generate <em>identity credentials </em>[<a href="#_edn21" id="_ednref21">21</a>],[<a href="#_edn22" id="_ednref22">22</a>],
negating the need to use unique TCM keys directly with other TCM modules. This
places a high level of trust in a centralised CA; trust that, if betrayed,
could compromise large numbers of TCG platforms, and begs the politically charged
question – who will be the top-level CA? </p>
<p>This brings up another issue, where a CA is the only party that knows which <em>private
key </em> was used to generate an <em>identity key </em>, but the current TCG
specification[<a href="#_edn16">16</a>] doesn’t provide a mechanism to prove
this, meaning that a CA could potentially fake this information – either proving
a connection between a TCM and an identity key that does not exist, or creating
an identity key for a TCM that that does not exist[<a href="#_edn23" id="_ednref23">23</a>].
There is no simple solution to privacy concerns such as these, causing some,
such as[<a href="#_edn22">22</a>], to say that TCG will eliminate privacy entirely.</p>
<h3>Economics </h3>
<p>A further worry is that TCG, through its ability to prevent access to data
except in specific circumstances, could enable certain programs to <em>monopolise </em> specific
data. [<a href="#_edn24" id="_ednref24">24</a>] makes the case that this could
lead to some programs or companies holding unbreakable monopolies. Perhaps the
most controversial aspect of TCG, however, comes about due to its ability to
encrypt data in such a way that it can only be decrypted on a machine running
in a specific state. Opponents of the concept claim TCG will be used to prevent
fair use of various forms of media[<a href="#_edn25" id="_ednref25">25</a>],
although this would have to be implemented in software, not directly via TCG.</p>
<h2>Conclusion </h2>
<p>Having investigated the Trusted Computing Group and their model for trustworthy
computing, and discussed the benefits and potential pitfalls inherent in this
model, we can conclude that, as computers become increasingly important, the
risks associated with a failure of trust will also become increasingly devastating,
and thus trustworthy computing will also become ever more imperative. However,
whether TCG provides the answers computing needs, is a matter only time will
tell. As [<a href="#_edn26" id="_ednref26">26</a>] says, </p>
<blockquote>
<p>“Current efforts to secure the PC’s traditionally open architecture will give
consumers two unattractive choices: They will either have to pay a huge premium
for an unwieldy system that employs impenetrable membranes, encrypted buses,
and tamper- resistant memory, or they will have to settle for an inferior solution
that fails to thwart dishonest users and limits the ability to backup data and
interoperate with third-party software. Investing in proven architectural improvements
such as guarded pointers and data tags is a more cost-effective and long-overdue
alternative.” </p>
</blockquote>
<div class="references">
<p>References: </p>
<p>[<a href="#_ednref1" id="_edn1">1</a>] Trusted Computing Group, [Online site],
[cited 2004 Aug 23], Available https://www.trustedcomputinggroup.org/ </p>
<p>[<a href="#_ednref2" id="_edn2">2</a>] Trusted Computing Group, [Online document],
2004, [Cited 2004 Aug 23], Available https://www.trustedcomputinggroup.org/about/ </p>
<p>[<a href="#_ednref3" id="_edn3">3</a>] D. Farber, “Fame, but No Riches, For
Cybersecurity,” IEEE SPRECTRUM , Jan, pp 52, 2003 </p>
<p>[<a href="#_ednref4" id="_edn4">4</a>] Trusted Computing Group, [Online document],
2004, [Cited 2004 Aug 23], Available https://www.trustedcomputinggroup.org/about/members/ </p>
<p>[<a href="#_ednref5" id="_edn5">5</a>] Trusted Computing Group, Backgrounder
, 2003, pp 5 </p>
<p>[<a href="#_ednref6" id="_edn6">6</a>] Trusted Computing Group, TCG Specification
Architecture Overview , Rev 1.2, pp 5, 2004 </p>
<p>[<a href="#_ednref7" id="_edn7">7</a>] Trusted Computing Group, TCG Specification
Architecture Overview , Rev 1.2, 2004 </p>
<p>[<a href="#_ednref8" id="_edn8">8</a>] D. Safford, The Need for TCPA , pp
4, 2002 </p>
<p>[<a href="#_ednref9" id="_edn9">9</a>] Trusted Computing Group, Backgrounder
, pp 5, 2003 </p>
<p>[<a href="#_ednref10" id="_edn10">10</a>] Trusted Computing Group, TCG Specification
Architecture Overview , Rev 1.2, pp 19, 2004 </p>
<p>[<a href="#_ednref11" id="_edn11">11</a>] Trusted Computing Group, TCG Specification
Architecture Overview , Rev 1.2, pp 16, 2004 </p>
<p>[<a href="#_ednref12" id="_edn12">12</a>] Trusted Computing Group, TCG Specification
Architecture Overview , Rev 1.2, pp 9, 2004 </p>
<p>[<a href="#_ednref13" id="_edn13">13</a>] Trusted Computing Group, TCG Specification
Architecture Overview , Rev 1.2, pp 24, 2004 </p>
<p>[<a href="#_ednref14" id="_edn14">14</a>] Trusted Computing Group, TCG Specification
Architecture Overview , Rev 1.2, pp 5, 2004 </p>
<p>[<a href="#_ednref15" id="_edn15">15</a>] Trusted Computing Group, TCG Specification
Architecture Overview , Rev 1.2, pp 7, 2004 </p>
<p>[<a href="#_ednref16" id="_edn16">16</a>] Trusted Computing Group, TCG Main
Specification , Ver 1.1b, 2002 </p>
<p>[<a href="#_ednref17" id="_edn17">17</a>] Trusted Computing Group, TCG Specification
Architecture Overview , Rev 1.2, pp 15, 2004 </p>
<p>[<a href="#_ednref18" id="_edn18">18</a>] [Online document], 2004, [Cited
2004 Aug 23], Available http://www.notcpa.org/ </p>
<p>[<a href="#_ednref19" id="_edn19">19</a>] [Online document], 2004, [Cited
2004 Aug 23], Available http://www.againsttcpa.com/what-is-tcpa.html </p>
<p>[<a href="#_ednref20" id="_edn20">20</a>] J. Reid, J. M. G. Nieto, E. Dawson,
and E. Okamoto , Privacy and Trusted Computing , pp 4,2003 </p>
<p>[<a href="#_ednref21" id="_edn21">21</a>] J. Reid, J. M. G. Nieto, E. Dawson,
and E. Okamoto , Privacy and Trusted Computing , pp 3,2003, </p>
<p>[<a href="#_ednref22" id="_edn22">22</a>] B. Arbaugh, “Improving the TCPA
Specification,” Computer, Aug, pp 78, 2003 </p>
<p>[<a href="#_ednref23" id="_edn23">23</a>] J. Reid, J. M. G. Nieto, E. Dawson,
and E. Okamoto , Privacy and Trusted Computing , pp 5,2003 </p>
<p>[<a href="#_ednref24" id="_edn24">24</a>] E. W. Felten, “Understanding Trusted
Computing - Will Its Benefits Outweigh Its Drawbacks?,” IEEE SECURITY & PRIVACY
, May/Jun, pp 62, 2003 </p>
<p>[<a href="#_ednref25" id="_edn25">25</a>] B. Arbaugh, “Improving the TCPA
Specification,” Computer, Aug, pp 78, 2003 </p>
<p>[<a href="#_ednref26" id="_edn26">26</a>] B. Arbaugh, “Improving the TCPA
Specification,” Computer, Aug, pp 79, 2003 </p>
</div>
<p> </p>
<h1>Appendix A – Critical Evaluation of Sources</h1>
<p>TCG has proved to be a controversial issue, and as with any controversial
issues, the information regarding it ranges from the reputable to the highly
disreputable, with many paranoid and misinformed people subverting information
for their own purposes. With this in mind, critical judgement of the sources
used in this report was very important. </p>
<p>The peer review system usually provides a trusted source of information, providing
one affords the peers the liberty of trust and finds them trustworthy. With
this in mind, I have attempted to source the majority of my sources from reputable,
peer-reviewed sources such as the IEEE database. </p>
<p>I can categorise my sources into two clear types – those that have been through
a reputable peer reviewing process, and those that either haven’t, or I can’t
verify whether they have or not. Sources such as [<a href="#_edn27" id="_ednref27">1</a>]
from the IEEE can be safely assumed to have passed reliable peer reviewing,
while sources such as [<a href="#_edn28" id="_ednref28">2</a>] could be expected
to have undergone a peer-review process, but this cannot be verified, and one
cannot be certain whether the source exhibits any bias towards its employers
or not, and as such, one should not implicitly trust such sources. </p>
<p>Sources such as [<a href="#_edn29" id="_ednref29">3</a>] should be treated
as suspect, and have mainly been used to show that such opinions, while they
have not been peer-reviewed and exhibit, particularly in [<a href="#_edn30" id="_ednref30">4</a>],
considerable and unjustified bias, nonetheless do exist. </p>
<p>As an example of the bipolar nature exhibited by varied sources, consider
the statement by [<a href="#_edn31" id="_ednref31">5</a>] that: </p>
<blockquote>
<p>“The long term result [of TCG] be that it will be impossible to use
hardware and software that’s not approved by the [TCG]. Presumably there will
be high costs to get this certification and that these would be too much for
little and mid-range companies. Therefore open-source and freeware would be
condemned to die, because without such a certification the software will simply
not work”</p>
</blockquote>
<p>In fact, contrast the above with: </p>
<blockquote>
<p>“It is worth clarifying that the TCPA specification itself, does
not allow a third party to control which operating system and application software
a platform owner can run. Therefore, the architecture does not provide a mechanism
for software licence enforcement where a platform boot can be terminated by
a third party[<a href="#_edn32" id="_ednref32">6</a>]” </p>
</blockquote>
<p>As we can see, these two sources are diametrically opposed – only one of the
two can actually be correct. In this case, [<a href="#_edn32">6</a>] has been
through the IEEE peer review process[<a href="#_edn33" id="_ednref33">7</a>],
where people who have knowledge of the subject have formally read and referreed
the article before it was published. While this doesn’t guarantee the accuracy
of the article, it does give it a much higher level of credibility than [<a href="#_edn29">3</a>],
which has probably not been reviewed by anyone with any credentials or reputation
in the field. </p>
<p>Several other critical evaluation techniques[<a href="#_edn34" id="_ednref34">8</a>],[<a href="#_edn35" id="_ednref35">9</a>]
were used to evaluate sources, particularly as anyone can publish anything online.
With this in mind, for all sources I whether there was a signed author, and
if so, who the author was, whether he or she had been referenced by anything
else I had read, whether the site was sponsored by, or owned by, a company with
a stated interest in the matter and how current the information is. This brings
up an interesting question, can we trust sources such as [<a href="#_edn36" id="_ednref36">10</a>]
which are from a site which has a stated interest in its own development? I
concluded that, as the information was mainly technical and had been through
a peer-reviewed system, and that the article is about this information, we could
assume that it is an accurate and reliable source. </p>
<p> </p>
<div class="references">
<p>References:</p>
<p>[<a href="#_ednref27" id="_edn27">1</a>] D. Farber, “Fame, but No Riches,
For Cybersecurity,” IEEE SPRECTRUM , Jan, pp 51 2003 </p>
<p>[<a href="#_ednref28" id="_edn28">2</a>] D. Safford, The Need for TCPA ,
2002 </p>
<p>[<a href="#_ednref29" id="_edn29">3</a>] [Online document], 2004, [Cited
2004 Aug 23], Available http://www.notcpa.org/ </p>
<p>[<a href="#_ednref30" id="_edn30">4</a>] [Online document], 2004, [Cited
2004 Aug 23], Available http:// www.againsttcpa.com / </p>
<p>[<a href="#_ednref31" id="_edn31">5</a>] [Online document], 2004, [Cited
2004 Aug 23], Available http://www.againsttcpa.com/what-is-tcpa.html </p>
<p>[<a href="#_ednref32" id="_edn32">6</a>] J. Reid, J. M. G. Nieto, E. Dawson,
and E. Okamoto , Privacy and Trusted Computing , pp 3,2003 </p>
<p>[<a href="#_ednref33" id="_edn33">7</a>] [Online document], 2004, [Cited
2004 Aug 23], Available http://ieeexplore.ieee.org/xpl/Peerreview.jsp </p>
<p>[<a href="#_ednref34" id="_edn34">8</a>] [Online document], 2004, [Cited
2004 Aug 23], Available http://lib.nmsu.edu/instruction/evalcrit.html </p>
<p>[<a href="#_ednref35" id="_edn35">9</a>] [Online document], 2004, [Cited
2004 Aug 23], Available http://www.library.ucla.edu/libraries/college/help/critical/index.htm </p>
<p>[<a href="#_ednref36" id="_edn36">10</a>] Trusted Computing Group, Backgrounder
, 2003 </p>
</div>
<p> </p>
<hr />
<h2 id="results">My Results </h2>
<p><img src="_img/COMP3502-assignment-1-histo.png" alt="Results Histogram" width="400" height="366" /></p>
<table border="1">
<tr>
<th colspan="3">Assignment 1 </th>
</tr>
<tr>
<td><strong></strong>Assets </td>
<td>(out of 4 marks) </td>
<td>2 </td>
</tr>
<tr>
<td><strong></strong>Mechanisms </td>
<td>(out of 3 marks) </td>
<td>3 </td>
</tr>
<tr>
<td><strong></strong>Social etc </td>
<td>(out of 2 marks) </td>
<td>1 </td>
</tr>
<tr>
<td><strong></strong>Sources </td>
<td>(out of 2 marks) </td>
<td>2 </td>
</tr>
<tr>
<td><strong></strong>Referencing </td>
<td>(out of 2 marks) </td>
<td>2 </td>
</tr>
<tr>
<td><strong></strong>Evaluation </td>
<td>(out of 3 marks) </td>
<td>3 </td>
</tr>
<tr>
<td><strong></strong>Criticism </td>
<td>(out of 2 marks) </td>
<td>2 </td>
</tr>
<tr>
<td><strong></strong>Structure </td>
<td>(out of 2 marks) </td>
<td>2 </td>
</tr>
<tr>
<td><strong>Total </strong></td>
<td>(out of 20 marks) </td>
<td>17 </td>
</tr>
</table>
<p>09-SEP-2004</p>
</body>
</html>