This article may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. To maintain the flow of the article, we've left these URLs in the text, but disabled the links.


MIND

Flux
flux@microsoft.com
Douglas Boling
Pentium III and the Internet
I
ntel has to be one of the best managed companies in the United States. It aggressively markets its products, it has long-term vision, and most of all, it doesn't mind eating its own young. By that, I mean that Intel doesn't wait for the competition to make its products obsolete—it does that on its own. The latest example of this is the recently announced Pentium III.

    The Pentium III has all the incremental changes you'd expect with a new processor. Its clock speed is faster, starting at 450 and 500MHz. It uses a 100MHz memory bus and has a 512KB integrated cache. In addition, the Pentium III introduces the first set of new CPU instructions since the inception of MMX (multimedia extensions) in January 1997.

    Still, with all the new features of the Pentium III, the two that are getting the most press are the random number generator and the software-readable processor serial number.

    Generating random numbers in software has always
been problematic. By its very nature, software is deterministic, so using software to produce a truly nondeterministic number isn't possible without some randomizing factor.

    The random number generator integrated in Pentium III-based systems uses thermal noise from a resistor to produce a random number that actually is quite random. Thermal noise can be measured by the tiny variances in resistance of a resistor in the silicon. This changing resistance can be a problem for chip designers if the variance is too great, but in this case, the designers have turned the problem into a solution.

    Why are random numbers so important? Aside from their critical use in shuffling the deck for the next solitaire game, they are used in cryptography. And we all know that security is a major issue on the Internet. By providing a better random number, the data sent from a Pentium III-based system can be that much more secure.

    The other "feature" that Intel provided for security is a machine-readable serial number, unique to each Pentium III chip. When they announced it, Intel thought it was answering an OEM demand for better security. The theory was that by providing the ability to identify each machine, software could be written so that only that machine could read secure data encrypted for it. It turns out that the serial number could have other uses.

    At least two were suggested by the press. The first was the ability of Intel to prevent the problem of "overclocking" a CPU. A database could be used to tag a Pentium III with its proper clock speed. The second use would be to track stolen systems. As soon as a pinched system logged into the Internet, its rightful owner could locate and recover it by reporting it stolen.

    While helping solve known problems, both of the above uses of the serial number smack of Big Brother. Intel quickly published a press release denying that it would track the serial numbers of the Pentium IIIs it sold. Good for them.

    The stated goal of this serial number is to provide the ability for applications and Web sites to track a system's identity. This is making privacy advocates have kittens. Imagine! A Web site knowing that someone logs onto it. While I've always been thoughtful of the identity problem and data theft, I'm not sure that the Pentium III's serial number is going to be a problem.

    First, it'll be years before Pentium III CPUs power the majority of personal computers. Even then, allowances will have to be made for systems running other CPUs without this feature. No Web site or application is going to refuse business just because it can't read a system's serial number.

    Second, when the system boots you can disable it from reading the serial number. A simple device driver will do the trick. In fact, just before this went to press Intel announced that the serial number would be turned off by default.

    Third, and most importantly, you need software knowledgeable about the serial number feature to transmit the ID from the machine. I'm sure that there will be a Web browser or two that will certify themselves as anonymous browsers that won't self-identify if this truly becomes an issue.

    Finally, application writers who think they're going to use the serial number to return to the bad old days of copy protection better think again. Intel makes a fair amount of money selling processor upgrades. I myself haven't bought a new computer in a number of years. Rather, I simply replace the motherboard each 18 months or so and buy bigger hard disks. One reason I do this is to avoid reinstalling all my applications. If my programs started to break just because I changed CPUs, I'd buy a different application without such a "feature."

    The serial number in the Pentium III isn't the problem. Any problems will originate with developers who think they can use the serial number to their advantage and to their customer's disadvantage. Not only is the customer always right, they're fickle. Take advantage of them once, and they may not be available for you to take advantage of a second time.

From the March 1999 issue of Microsoft Internet Developer.