Slashdot Mirror

Vista Media Center refuses to record certain TV shows:
http://news.cnet.com/8301-10784_3-9943631-7.html

Loose all your music when you upgrade or reinstall
http://forums.legitreviews.com/about14833.html

Get falsely accused by Microsoft of piracy - "Windows Genuine Advantage falsely accuses millions"
http://arstechnica.com/old/content/2007/01/8690.ars
Now it can lead to "Reduced functionality mode"

"Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called "premium content", typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it's not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server)"
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

Jon

This entire article, much like this one that came out just before vista http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html are entirely FUD and have been debunked repeatedly. You can download a copy of windows 7 and test it for yourself.

Since I'm a karma whore: http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.htmlA Cost Analysis of Windows Vista Content Protection

Read Peter Gutmann's excellent article here:
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

Why are we still talking about this? Gutmann had never run Vista when he wrote the article, and stopped updating it once Vista was in the market and actually testing it was possible.

He makes a ton of testable hypothoses in the article. And I don't see a one that hasn't been disproven.

It's simply not an article about Vista. It's an article describing his fantasy of how bad Vista could have been.

First, please send me a peer reviewed paper showing experimentally that you exist. Please follow up with the peer reviewed replication of that experiment.

But while we wait for the wave of pedantry to subside, have a look at: Secure Deletion of Data from Magnetic and Solid-State Memory first published in the Sixth USENIX Security Symposium Proceedings, San Jose, California, July 22-25, 1996.

Then consider that I was merely summarizing how a magnetic medium can, in fact, retain traces of overwritten data on it. It was a post on slashdot, not my thesis.

I can only guess from your tone that you're the guy the whiny and pedantic knot of trekkies stuff in the trashcan for being too pedantic and whiny at the sci-fi convention.

(Editor's note: SecurityFocus is currently investigating the veracity of the research paper mentioned in this article. Peter Gutmann of the University of Auckland, an expert on secure deletion, has criticized the work in the epilogue to his paper on secure deletion.) http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html This paper is a very good read and provides alot of information on the topic, along with basically calling the authors of this articles paper an idiot.

In the epilogue of http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html, Peter Gutmann basically calls the author of TFA a rtrd.

Apparently, he's confusing two different techniques, and Gutmann claims that, of course it won't work the way he's doing it. He's doing it wrong. You can't use the Magnetic Force Microscope to perform an error cancelling read, it doesn't work. The success rate is - surprise! - less than 1%, exactly like TFA claims.

Also, mentioned in Gutmann's epilogue, TFA confuses an MFM and a scanning electron microscope. They are not the same thing. An MFM reads magnectic levels, it doesn't "see" electrons like a SEL will.

In any case, Gutmann agrees with TFA but for very different reasons. The new encoding techniques nullify the MFM. There is no point using it because it won't give you any usefull information on a modern drive. Also, the extremely high densities mean the only practical and reliable method of recovery is basic error-cancelling techniques, and that's only practical after one wipe. Even then, it's iffy at best.

So yes, a single wipe is probably all you need. But who knows what data recovery techniques will be invented? A single pass is probably good enough right now, but 3-4 random passes is pretty much a sure thing, regardless of future techniques.

and this: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

I'm sorry you took the question as biased. As a user of Windows systems at home both home and work, I will be delighted to find out that either a) those who've claimed that Vista DRM brings with it a wide variety of disadvantages are wrong and/or 2) that insofar as there are such disadvantages, Win7 addresses them.

Certainly there have been detailed claims of concerns that would affect not just authors of Vista device drivers, but more indirectly, users who would not be able to connect devices that they own (I.e. because the drivers could not be written or deployed), or who would find features (echo cancellation) missing from the drivers they could get. See for example: http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html I'm not claiming that article is accurate or unbiased. On the contrary, I'm asking: if concerns like this were real with respect to Vista, to what extent are they resolved in Win7. If the answer is: the article is incorrect with respect to Vista, then all the better.

By the way, my reason for not having significant direct experience with using Vista device drivers is that on the several occasions I tried Vista, I ran into so many compatibility and integrity problems that I had to back out to XP. I don't think this is the place to go into what those problems were, but I can detail them if you care.

And no, I haven't had the opportunity to write device drivers for Windows. The last time I wrote device drivers was for Unix systems, and it was quite awhile ago.

Thank you.

Thanks for the response. I guess I'm slow because I can't wrap my head around the assertion that there is "absolutely ZERO impact on people who don't use DRM'd media".

Admittedly, I don't use Vista - and I'm basing my opinion on this article I read a long time ago - but it seems to be both by "common-sense" and "real figuring" (like in the article), all the DRM stuff that was added in Vista does have some impact. Even on those who wouldn't be using DRM'ed files.

No bank is going to get a cert from RapidSSL or the like. (At least, I hope not--given the security practices I've seen at banks, I'd be surprised if they didn't

This is, supposedly, what EV certificates provide, apart from a fat new revenue stream for selling those expensive bits (quick, someone explain why wildcard certs cost a single damned penny more than single-domain certs) and making anyone who can't afford them into second-class citizens.

There is, however, an attack which goes around that; as Dan Bernstein proposed in 1999, if you set up your fake server for hugebank.com, and have it serve up redirects to your newly registered (and certified!) hugebank.secure-banking.dom site, then the user will see a validated site that they got to by typing in their bank's address or following an email link.

Given that my current bank requires me to accept javascript served from akamai.net in order for me to pay bills, and other banks use plenty of weird domains for user interaction (see pages 11--13), I don't believe that this would set off any alarms.

I complained to my bank back in August about the site requiring javascript from untrusted domains--I didn't even get to complaining about their use of various domain names. Unfortunately, there's no better alternative where I live, and they seem completely uninterested in responding to me.

It's a bit depressing how nobody takes the security implications of the internet seriously, and acts surprised when they're reminded of them.

Email is not secure. Using SSL for your POP/SMTP/IMAP connections secures your login to the server, but the mail itself is still transmitted in the clear. And people act surprised when you tell them that people can and likely do scan their email?

Then again, given that our financial institutions actively train their users to ignore security indicators (a very exploitable situation), we shouldn't be surprised at that sort of nonsense.

I noticed the following in the article:

It got worse. Most Internet commerce transactions are encrypted. The encryption is provided by companies like VeriSign. Online vendors visit the VeriSign site and buy the encryption; customers can then be confident that their transactions are secure.

But not anymore. Kaminsky's exploit would allow an attacker to redirect VeriSign's Web traffic to an exact functioning replica of the VeriSign site.

I was going to write about how clearly the built-in CA certs in the user's browser would throw up a flag and note that the cert wasn't actually signed by the folks at Verisign or whatever... but then I realized that, hey, given the abysmal state of security compliance, it's probable that nobody would even notice.

And an article on cache poisoning that doesn't even mention that Dan Bernstein had foreseen and fixed the lack of source-port randomization while pointing out that it's still only a stopgap seven years earlier is an article that should have been edited a bit more thoroughly. Kaminsky made the attack much more dangerous, but the possibility should never have existed in the first place.

In a more ideal world, we'd all exchange encrypted and signed email and access any site that involved a login using valid SSL certificates and secure-only cookies. But we're not there.

Choose your "experts" carefully.

I'll take an expert over a pay-for-say MS "expert" any day. Facts happen to run against MS, get over it. That's why the marketing firms they hire come down so hard on reviewers, evaluators and benchmarkers.

If you want to get down to the bottom of some of the many, many problems with MS Vista, as well as the OpenGL imitation, then see Peter Gutmann's analysis, A Cost Analysis of Windows Vista Content Protection.

Running a smear campaign may or may not annoy the author, but it is the facts he is reporting. You can even read Peter's response to the MS attack dogs where he addresses their tactics as well as emphasizes some of the points they chose to skip over.

MS has a long history of manufacturing abuse of not just critics but also critical data. Money spend on MS products goes into funding unethical, anti-competitive, and, in some cases, illegal activity. Even helping keep the monopoly going, whether intentionally or unintentionally, by not supporting open formats or protocols allows the malfeasance continued funding.

You left out the link to Gutmann's comments, or by "here" did you mean generally in /.? Anyway, I went looking and found this. Indeed an interesting read. I knew Vista's driver model was pathetic in part because of "content protection" issues, but I had no idea how awful it is.

And can you imagine them trying to provide backwards support for this crap in Windows 7? What a nightmare!

http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

sorry - forgot to put in the link

This has thoroughly been discussed by Peter Gutmann here

You mean here

Didn't take long to find these...

http://davisfreeberg.com/2008/01/03/bad-copp-no-netflix/
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html
http://blogs.zdnet.com/hardware/?p=1865
http://www.grc.com/sn/SN-074.htm
http://www.cypherpunks.to/~peter/vista.pdf

Vista doesn't stop me from watching anything, or burning dvd copies for that matter.

I don't have personal experiences with it as I switched completely to Linux long ago. However, there are numerous examples on the web:

A good technical overview of the stuff your computer is doing *other* than what you want it to do: http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

A real-world example of that stuff hurting a real user: http://yro.slashdot.org/article.pl?sid=08/01/03/2339248

Vista DRM breaking apple content: http://www.saschameinrath.com/2007feb04windows_vista_drm_turning_ipods_into_doorstops_since_2007

A quick google for "vista drm" will show many more.

I'm glad you haven't yet run into problems and its true that some users never will. However, Vista is still using your hardware to watch what you do at the expense of using that hardware for what you are trying to do. Even if you never run into a file you can't play, the cost to you in efficiency or in monetary terms is far above zero.

The price you paid for Vista included the cost of developing the DRM schemes that are only used to limit you. The ram and cpu Vista uses enforcing those schemes is ram and cpu that you could be using to do a useful task.

Its sort of like your neighbor stealing your bandwidth via wifi.You may not notice that you aren't getting your full bandwidth, but that doesn't mean it isn't making you wait a few seconds longer for that download, or get a little more lag playing the latest and greatest game. In this case, your nosy neighbor is watching everything you do so they can stop you if you do anything they don't like - and you are paying them for the privilege.

P: You sound exactly like the egotistical programmers I've been talking about. The general population is perfectly capable of understanding the concept of general communication security

Which "egotistical programmers"? The strawman you put up, who perhaps says "users are stupid"?

There are other developers out there who may have experienced that people don't stop and think and apply logic to surprises and annoyances, like pop-ups. And if you want to know why this is so, and why this is normal and not something that could or should be "fixed" by "user education", I recommend Peter Gutmann's text on usable security: http://www.cs.auckland.ac.nz/~pgut001/pubs/usability.pdf

Your tone and reasoning imply that you think people will pay attention and make informed choices if they are capable of understanding what the UI is telling them. Usually they won't. Reasoning is a scarce resource that most user's won't squander on annoyances and surprises coming from the GUI. Practical experience has shown them that muddling through works just fine.

And don't even think of presenting trick questions to insist that the user pay attention. That would be "egotistical developer" behaviour! The application is a servant, not a master. If you ask trick questions to your boss, you'll likely get fired.

So you think that Ellison, Schneier, Gutmann and Seifried are uninformed morons who are completely clueless about crypto and are making wild claims?

Why can't users get security right (revisited) [...]

Security people are wierdos

• Go directly against millennia of evolutionary conditioning
• No normal person would ever handle a user interface the way that security people do
• Security people design these interfaces assuming that theyâ(TM)ll be used the way that they would use them
• At least one user study on PKI un-usability was greeted with disbelief by security people
• It couldn't possibly be this hard to use!

There is another write up here:
http://www.cs.auckland.ac.nz/~jas/one/freewill-theorem.html

• Use a $495 Verisign certificate
  - People will come to your site
• Use a $9.95 budget CA certificate
  - People will come to your site
• Use a $0 self-signed certificate
  - People will come to your site
• Use an expired or invalid certificate
  - People will come to your site
• Use no certificate at all, just a disclaimer saying that you're secure
  - People will come to your site

The whole PDF is a highly recommended read full of sad truths.
Unfortunately, it is VERY hard to recondition users. I don't blame Mozilla for
trying (in fact I completely agree with the change), but it will probably fail.

the only transition that path will provide is the transition of ms/windows market share into what used to be apple/macos market share.

the stability, reliability, and intuitive feel of mac apps can not be feasibly maintained on an operating system for broader hardware ranges, and as such subject to greater instability. This of course doesn't touch on the fact the particular case you cite is the product of a third party not fully versed in the nuances of the programs involved, nor does it touch on intentional instabilities of Microsoft's latest os.

What this means is apple programs ported or hacked into windows would adopt the look and feel of windows applications, and would, if done through a third party abstraction layer, be less stable than native windows apps.

I know which company joe sixpack will avoid. To him a computer is a computer, just like all sports cars are the same to those who are not motor heads. One company's software worked on his computer, the other didn't. (and yes I managed to cram in a car analogy!... do we have a name for that forum law yet?)

Uhm, no, this is why I'm staying away from Vista for as long as humanly possible.

It has nothing to do with UAC, lack of drivers or lack of stability. It has to do with XP being to Vista what Linux is to XP when it comes to software that is designed to allow me to do what I want, as opposed to designed to prevent me from doing things.

Well, ok, there's also the fact that Vista has exactly one feature I might want at some point that I can't get in XP. That being DX10. I'm not paying the Microsoft tax just for DX10. Considering I know of no game as of today that requires it, there is no reason to "upgrade".

http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

This article: http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

Wrong. It is broken by design:

A Cost Analysis of Windows Vista Content Protection: http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

Summary: Vista is spending a significant amount of resources making sure you aren't doing anything it doesn't like.

the theory- http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html
the goal http://www.forbes.com/2007/02/10/microsoft-vista-drm-tech-security-cz_bs_0212vista.html
a practical consequence -http://davisfreeberg.com/2008/01/03/bad-copp-no-netflix/

And:
broken sound API's (change for change sake)
Lack of drivers for older hardware
Useless on older machines with just 512 MB of RAM
too many versions
SP1 released just last month
Did I mention the DRM? http://practical-tech.com/entertainment/vistas-multimedia-mess/

As someone already mentioned, MS has 2 OS's in competition, and the newer one is losing. Why is it surprising that they would provide a "fix" to XP that makes it less desirable? Let's face it- they could have put out SP3 at any time in the last three years, and should have. They took the time to pull SP3 last week when it was conflicting with some MS Point of Sale software, but they don't have the resources to test it on any HP systems with AMD cpus's?

WARNING: THIS POST CONTAINS GRAPHIC DEPICTIONS OF MICROSOFT RAPING POOCHES FOR THEIR OWN PERCIEVED GAIN. DO NOT READ IF YOU ARE AVERSE TO GRAPHIC CONTENT OR EASILY ANGERED BY MICROSOFTS WANTON COCKMONGERING STUPIDITY.

The biggest issue is Vista drivers. And its not simply hardware people that need drivers, theres a huge base of software that relies on installing system level devices that perform various things Windows is simply unable to do itself.

MS really fucked the pooch particularly gruesomely in this department
1. Device driver development kits got shipped only at the 25th hour
2. DDK availability was low then and is low now. You have to like red tape and receiving anal sex to play this game anymore.
3. Oh yeah, DDK is now useless.

#3 is really where things get EXTRA DOUBLE Microsoft pooch screwing special. See, because Microsoft wanted a DRM safe platform the only way to secure the OS was to make only certified secure drivers able to run on the OS. Whereas before MS certification just a big roadblock most people just went around (see: not fans of pooch screwing), now its totally mandatory with no exceptions.

My favorite example of how badly customers get fucked by MS's great love of pooch rear ends is the RBC9 SpaceNavigator driver. Some enthusiast saw that the badass 6 degree of freedom controller from 3dconnexion was a) basically useless for anything these jerk offs didnt write a driver for yet b) is /nearly/ just a straight usb joystick device. Likely using the old DDK and making by his own confession very few changes he turned this sweet piece of hardware from something that can only be used with the handful of apps the jerk offs built the controller to support, to a universally accessible wonder controler you can use to stomp the crap out of people in gears of war and freespace 2 with.

Theres just one problem. Theres not a snowballs chance in hell there will ever be a not-totally-fucking trash 64 bit driver for this awesome controller. 3dconnexion thinks their business is selling shitty proprietary software when in fact all we want is a hardware company, they're to freaking drunk on software sales to write something actually useful for their hardware and have no interest in doing so. On the other hand, RBC9, who wrote this sweet driver, has no way of a) getting a new DDK for Vista 64, and b) distributing the driver in usable form if he DID get a DDK.

I largely suspect Adobe's similar pooch abuse related activities regarding availability of 64 bit flash relates to the above circle jerks. Its been nearly 3 years and they still dont have a Flash that runs on 10% of the world's Windows IE.

MS bent hte customer and developer and the pooch over backwards to produce Vista. I really hope it takes them a while to clean all the gore off their dicks when they're done.

link drop / references:

vista drm:
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html
rbc9 3dconnexion pooching clusterfsck:
http://www.3dconnexion.com/forum/viewtopic.php?t=336&postdays=0&postorder=asc&start=390&sid=8207b7e5a2e2949040a86ba9c6c31e1d

That's very naive, to say the least.

First of all, nobody gives access to actual platter information - what they write there can only be recovered in a lab. So in worst case scenario an audit like you described can be fooled by on-the-fly encryption of written data.

But even if they correctly encrypt your data you don't know what else got written to the disk - i.e. the side channel information.

And just from the top of my head (simply to further disprove your point about effectiveness of such an audit)look here: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html (p. 7)

So basically there are so many "holes" known and unknown, that without full disclosure of how they (Fujitsu) do that thing (including photolithography slides) such hardware encryption is unsuitable for "high stakes" situations.

oh hai, you should read this:
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

This is a poor, half assed attempt to bash microsoft by the fanboys.

This analysis explains a lot about how Vista and its business model should be avoided at any cost because it actually harms every user.

No DRM-encumbered media, no DRM. Your argument fails.

No DRM-encumbered media, no DRM. Your argument fails.

In accordance to Vita specs the Creative driver is behaving as expected under the DRM polices. Here is a link about http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html vista_cost

From Wikipedia:

Writer and computer scientist Peter Gutmann has expressed concerns that the Digital Rights Management copy prevention scheme in Microsoft's Windows Vista operating system may limit the availability of the documentation required to write open drivers as it "requires that the operational details of the device be kept confidential."

Source article

This is the only way the "trusted path" will work and it would be convenient for Microsoft if people and institutions did not realize that this is an unacceptable way of doing things.

No. I have read it here and here, but I'm not certain whether Vista actually does this or if it's just a massive fud campaign. From what I've read, it seems to be true. But as I said, I'm not 100% sure.

I'm not sure how many I have to post before you are convinced but here goes:
Exhibit A (most reliable) from Apple

Exhibit B (least reliable but similar to what you said) is here

Exhibit C (medium reliability) from Washington State University

In the end, I believe they all support what I said.

First of all, it's not the entire industry: GNU/Linux distributions do not enforce DRM. Secondly, it's not just support for DRM--it's unstoppable services that run in the background all the time whether you need them or not and degrade your performance. This is not FUD; it's just the facts.

Time for some more FUD -> http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

required reading for ANY discussion of Vista cost/performance issues. I was kind of surprised not to see the URL come up in the discussion thus far, so I dropped my mod points for this story in favor of posting instead.

Bottom line: if Microsoft had put the focus of Vista development on actually making the best-performing OS they could, instead of making digital restrictions the number one feature, the OS would very likely have been one of the best releases in recent memory. Instead, features and performance came in _explicitly_ behind DRM at every level of development and marketing (including Vista Compatible branding).

I think this is the authoritative article on Vista DRM

My understanding is that there are a few, mostly minor, issues. One is in 64-bit Vista, where you can't use older drivers, period. All drivers have to be signed to fit into the whole trusted scheme. I don't think this affects a lot of people - how many people have older 64-bit drivers? The conventional wisdom around here is that Vista was late partially because of the complexity associated with the DRM scheme.

This guy wrote a whole paper on it. His slides are more up-to-date. Basically, it boils down to: Vista makes your hardware more expensive (in order to support the end-to-end encryption), and the driver situation will be more chaotic with Vista.

Once you've read his slides, it's also not hard to imagine how this scheme affects performance.

Note that I don't use Vista and don't really care much about this stuff. By the time I install Vista, the issues will all be worked out and hardware will be fast enough that performance issues are not relevant. I was just sort of answering a question.

I don't know about NAND chips , but apparently ram isn't all that "volatile" as it should be( http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html [auckland.ac.nz] , part 7). If nand flash is anything like ram the ware leveling algorithms would still ruin any forensics in a system were data changes frequently.

I don't know about NAND chips , but apparently ram isn't all that "volatile" as it should be( http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html , part 7). If nand flash is anything like ram the ware leveling algorithms would still ruin any forensics in a system were data changes frequently.