Slashdot Mirror
Microsoft's 'Palladium' Privacy/DRM Scheme
Paradox Jack writes: "according to this article at MSNBC, Microsoft has an ambitious new plan called Palladium to rework computer and internet security. This includes changes in hardware, digital rights management (on all sides), and far more. Now, who thinks this will actually work and is for our own good?"
from the way it looks to me, this system will actually protect your priacy and provide a decent amount of security. However, it is uknown as to whether or not microsoft will be able to invade your privacy, since they make the system. Have to double check that EULA! As for digital rights management, I am just generally opposed to it, as are most of you ;-). And anyone who gives up their freedom for an illusion of security deserves neither (one of those founding father guys).
Remove the DRM and this looks ok to me.
The GeekNights podcast is going strong. Listen!
This sounds like what States' Attorney Steve Kunney put into closing arguments this past week:
Somehow they know better than anyone else what's best for this PC ecosystem. What's good for Microsoft is therefore good for the economy, good for consumers and good for everybody else.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Kenneth Lay and Jeffrey Skilling announced an ambitious new technology that will protect investors from fraud. "Sure, everybody who wants to invest will have to buy our product first, but once they do, they'll be perfectly safe from all the, um, bad people who would otherwise take advantage of them", said Skilling.
I don't care if it's 90,000 hectares. That lake was not my doing.
"I firmly believe we will be shipping with bugs," says Paul England.
Even if that is not the goal, I guarantee that only Microsoft signed drivers will be able to be installed, finally closing that pesky "sound card and CD-ROM emulation" fair use hole that is robbing the MPAA/RIAA of additional royalties.
This is NOT about making things better for the user. This is about removing the ability for the end user to make decisions about how her computer operates.
"Though Microsoft does not claim a panacea, the system is designed to dramatically improve our ability to control and protect personal and corporate information."
Maybe this should actually read:
"Though Microsoft does not claim a panacea, the system is designed to dramatically improve THEIR ability to control and protect OUR personal and corporate information."
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand". -Milton F.
The article says, "people will have to trust Microsoft".
Now ignoring all the heat that Microsoft gets around these parts, it's usually a bad idea to trust one entity:
- Hollywood trusted DVD encryption
- Stock holders trusted Enron and Tyco
- Investors trusted Merrill Lynch & Author Andersen
- Pinto owners trusted Ford
Obviously, even with the billions at risk, a trust to not screw up is more of a faith. A prayer. A hope.
The difference here is that even more people will be putting their faith that Microsoft will do the right thing morally, and that microsoft will not screw up. Will not screw up even once. Like they'll never release a Microsoft Bob again.
Unlikely.
Sadly, if Microsoft wants to pursue this effort, it really has to be open, and, dare I say it, well regulated with many legal protections for the consumer.
That's apparently the basic concept. Only "authorized programs" ("Genuine Microsoft") will run. That's where we are now with the XBox. Read up on how the XBox boots, and you'll see where Microsoft is going.
This isn't security. Real security would mean you could run anything in a jail with no risk of it getting out and hurting anything. That's what a secure OS is supposed to do.
And if the Genuine Microsoft code has a hole in it, attacks may still work. Microsoft might set up memory management so that only signed code can be in executable pages, but that only protects agains one class of attacks.
What are the bets on whether the interface for this hardware will be open? How likely will it be that the licensing board allows OSS software to be written for the hardware? With DeCSS, we've already seen that OS-neutral companies are unwilling to allow their content to be viewed in Linux. Microsoft, being not so OS-neutral, is likely to take this even further.
Does no one else notice the irony in having the company responsible for 90% of the viruses, worms, back doors, and trojans - all due to poor planning on the part of MS executives and programmers - suggest that now they can fix it for all of us?
If I were a conspiracy buff I'd think that MS created the security problems so that they could point to the "insecure internet" and offer some solution that benefits only them.
That anyone, much less some "internet guru" takes this at face value illustrates that P.T. Barnum was right about suckers.
No one ever had to evacuate a city because the solar panels broke!
Good old WebElements has a little something to say about the biological reaction to palladium:
Microsoft knows what they're doing, and if this thing succeeds, you can forget about any non-Windows operating system being even remotely usable.
Microsoft holds a patent that describes a method by which hardware and software interoperate to guarantee "digital rights management" (aka fair use destruction and monopoly lock-in). The patent describes a mechanism in which there is a private/public key pair, with one half embedded in hardware (possibly the CPU). Only "authorized code" (aka Windows) can run in ring 0 (kernel space) on the CPU. Naturally, only Windows has the other half of the key.
This is probably how the Xbox prevents third-party operating systems from running, and it probably is why they originally applied for the patent. But it also has lots of uses in the monopoly business. This article describes how useful the patent could be in implementing the Hollings bill. Take it one step further and it's easy to envision a world in which this type of "protection" is not only mandated by law... but unimplementable by Linux hackers due to patent problems.
Hopefully, by the time this thing hits critical mass (if ever), Linux will be too firmly entrenched for the industry to allow it to be required. I think we're already there on the server side (1 out of 4 servers sold today ships with Linux, more if you include the ones they can't count). In another couple of years we'll be there on the desktop as well. But as they say, the price of freedom is eternal vigilance. Let's make sure we get heard.b
Tired of FB/Google censorship? Visit UNCENSORED!
They said they are publishing the source, not that they intend to allow anyone to do anything with it.
"Publishing" probably means allowing a few "experts" who are willing to jump through hoops and sign ferocious NDAs to "look but not touch".
Most likely what they "publish" won't be what they compile from anyway.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I'm sure a MS's execs reply would be, "Of course you dont have to pay extra for a pc... [ you dont have to use a pc at all ]
Which might be just what I do -- move to mac.
I'm *really* sick of the adversarial attitude held by alot of companies latley -- "the customers are our enemies, we will dog them to do what *we* want." If you dont like this (and I sure dont), vote with your $$ and dont buy it.
Religion is a gateway psychosis. -- Dave Foley
This is what I saw when I read this as well as well:
"Protects information. The system uses high-level encryption to "seal" data so that snoops and thieves are thwarted. It also can protect the integrity of documents so that they can't be altered without your knowledge."
Can you say "public key tampering?" If this 'black box' chip encrypts everything to your own public key, how do we know it's not encrypting everything to the joint NSA/MSFT/(RI|MP)AA/etc key as well? Um, we don't.
"Stops viruses and worms. Palladium won't run unauthorized programs, so viruses can't trash protected parts of your system."
I wonder how many windows users STILL have not installed the Root Certificates Update Patch on their machines? This patch was issued because someone faked their identity as microsoft and verisign gave them a Microsoft named digital certificate. What's to stop them from doing this to Palladium and running any code they want?
Furthermore, they say this won't run unauthorised programs - but who authorises them? Many people think they control their hardware, but remember when TiVo boxen were forced to record a certain program? What if this black box allows the NSA or MSFT or ... to force your computer to run their code? It seems to me that if your machine has a Palladium chip, firewalls and patches mean nothing -- you are r00t3d from the very start. Nice.
"Cans spam. Eventually, commercial pitches for recycled printer cartridges and barnyard porn can be stopped before they hit your inbox--while unsolicited mail that you might want to see can arrive if it has credentials that meet your standards."
Really. How can a chip that is designed for encryption and authentication prevent someone from sending spam to you@yourisp.com? I think that this one is just baseless hype. Has ANYONE heard of a hardware solution for micromanaging spam? (Note: Micromanaging does not imply pulling out the RJ45.)
"Safeguards privacy. With Palladium, it's possible not only to seal data on your own computer, but also to send it out to "agents" who can distribute just the discreet pieces you want released to the proper people. Microsofties have nicknamed these services "My Man." If you apply for a loan, you'd say to the lender, "Get my details from My Man," which, upon your authorization, would then provide your bank information, etc. Best part: Da Man can't read the information himself, and neither can a hacker who breaks into his system."
Do you believe that MSFT wants to safeguard your privacy and r00t your box at the same time? See my point about public key tampering. I think they want to do to (gnu)PGP what they did to Netscape by including their own 'encryption' in the OS and Hardware. Of course once you start using their encryption, who knows WHO will be able to unlock your data? Remember the Scarfo Case. The FBI simply cannot break PGP with a high number of bits effectively on a large scale. They need to be able to read your encrypted files at will. That is what this will provide.
"Controls your information after you send it . Palladium is being offered to the studios and record labels as a way to distribute music and film with "digital rights management" (DRM). This could allow users to exercise "fair use" (like making personal copies of a CD) and publishers could at least start releasing works that cut a compromise between free and locked-down. But a more interesting possibility is that Palladium could help introduce DRM to business and just plain people. "It's a funny thing," says Bill Gates. "We came at this thinking about music, but then we realized that e-mail and documents were far more interesting domains." For instance, Palladium might allow you to send out e-mail so that no one (or only certain people) can copy it or forward it to others. Or you could create Word documents that could be read only in the next week. In all cases, it would be the user, not Microsoft, who sets these policies."
See previous point. Remember Life on the net in 2004? Remember: "Another warning appears -- "Your license for this recording has expired, unable to play." Damn -- another $49 if you want to listen to that music for another year. You wonder, if as they claim, these new measures significantly reduce piracy, why music is now so much more expensive?"
They say the next windows release is slated for 2004. (I predict 2005.) This is exactly what the article's author predicted. But it is being touted under the guise of a product for protecting users.
In reality, this is a product for exposing the every private doings of regular people to MSFT, American Secret Services, the (RI|MP)AA and being able to remotely control their machines and shut them down if desired.
[Insert 'opensource-protects-users' plug here.]
If I remember my greek mythology correctly, the Palladium was supposedly used to protect the city of Troy. As long as the statue was there, the city would be safe.
The Palladium was eventually stolen and afterwards the city of Troy fell.
I don't know about you, but isn't it ironic that Microsoft names their next security product in reference to this same Palladium?
Let's take a look at these new innovations:
So MS is going to claim it invented encryption and checksumming in 2002. Most Windows users get viruses via email scripts, which aren't programs. So this won't cut down on viruses (why would MS want to when they can claim that the virus writers are just getting savvyer and that you need to buy a more secure system to stay one step ahead). I've seen the "unsolicited mail you might want to see." Hotmail calls them newsletters and prevents you from blocking them. Bull$hit. No company is going to spend the money to store, manage and distribute your information if they aren't getting paid or reading your information. If you're already talking to the lender, why can't you give them the information yourself... or are people really too lazy to write down their name, address and phone number? Yeah, it's funny how people didn't buy into DRM the first time around, kinda like pay-per-view DVDs. But if we sugar-coat it and convince consumers that they can benefit from DRM (after all, a reader of a protected Word document can't copy its contents down while he has access to it and redistribute it later), they will accept it, the music industry will turn to us for DRM-formatted CDs and MS will control the audio CD format. Great. The future of the PC redefined by a paintball arena manager. Because terrorists and hackers keep welding antenna-laden black boxes to my keyboard and monitor. Now that's innovative... convincing consumers that someone is trying to wiretap their watches so they will pay more to hardware-encrypt data between the crystal and LCD. With the current U.S. push to chip away at privacy rights in the name of preventing terrorism, the FBI/the CIA/Ashcroft would be speaking out against this if it really protected the individual's privacy. Please note that this is a Newsweek article, not an MSNBC article. Newsweek's parent, The Washington Post Company, cut a deal with Microsoft about two years ago in which MSNBC would publish Newsweek.com in a more cost-effective way than the WashPostCo could.Whether you want to trust Newsweek's articles about Microsoft any more than you would trust a MSNBC article about Microsoft is up to you.
It's absurd to think that such a huge company that has control of such a huge share of the market with software that has such huge security concerns, can come up with something that actually *is* secure. If this takes hold, all I can say is that the OEM's will be getting my business, NOT Dell, HP, or any of the other major players that are going to incorporate this nonsense into hardware.
Just the same, I especially liked this passage:
Controls your information after you send it . Palladium is being offered to the studios and record labels as a way to distribute music and film with "digital rights management" (DRM). This could allow users to exercise "fair use" (like making personal copies of a CD) and publishers could at least start releasing works that cut a compromise between free and locked-down. But a more interesting possibility is that Palladium could help introduce DRM to business and just plain people. "It's a funny thing," says Bill Gates. "We came at this thinking about music, but then we realized that e-mail and documents were far more interesting domains." For instance, Palladium might allow you to send out e-mail so that no one (or only certain people) can copy it or forward it to others. Or you could create Word documents that could be read only in the next week. In all cases, it would be the user, not Microsoft, who sets these policies.
I started reading, and I thought..."it's obvious where this guy is heading - protect the commercial interests, screw the consumer." Then I read a little further, and noticed Bubba's comments on 'ordinary people' - but does it mention that nasty P-word (Privacy)???? No way. It talks about being able to place constraints on EMAIL! Oh happy day! And guess what...this isn't about ordinary people, because ordinary people usually don't have any reason to put such constraints on their e-mail...but corporate executives *cough*gates*cough* certainly do.
Overall, I think this whole thing is a crock, being masqueraded as something we need. Even if we do need it, I'd argue that the last person we need it from is Billy.
I don't know about you, but I'm stocking up on hardware and software NOW. As the article said, future improvements aren't going to be about speed but "security" (read: copy restriction at the cost of improved speed). This means that what we should do now is get the fast and free computers before they are no longer available. This stuff might become very expensive and rare -- available in places like the ghettos in 1984. Get two or three parts of everything. Maybe some LUGs can start "freedom hardware pools" where we will change out parts as the break.
One thing is certain: digital rights management has momentum, and is gaining more and more of it. The increased profitability of corrupt corporations and corrupt governments are at stake, and the fall of Napster is the first sign that the Internet is not government-proof.
-- Ken Kinder ken@_nospam_kenkinder.com http://kenkinder.com/
It's a brilliant name. They're talking about supplying a Palladium to a Troy, which will thereby prevent things like "Trojan horses" from bringing about the downfall of that Troy. The Palladium provided security. Microsoft wants to supply a Palladium. Jumping Jesus on a pogo stick, man, this isn't that hard to fathom.
If I may, I'd like to thank my grade school teachers for their emphasis on reading comprehension and critical thinking skills.
They also realized that if they wanted to foil hackers and intruders, at least part of the system had to be embedded in silicon, not software. This made their task incredibly daunting.
So there you have it. They believe that security through obscurity will be sufficient if that obscurity is in the hardware, buried under a layer of ceramic or epoxy. In other words, using hidden encryption keys in the hardware so that the key exchange won't be accessible via software tools. And the only way this can work is if everybody upgrades all their hardware at once. Fat chance! I'm all for cryptographically secure hardware--but only if I am the one setting the keys, not some secret industry / government consortium. DRM is absolutely not possible with obscurity and therefore is our enemy.
What to do about this?
1.) Don't buy or support M$ software. That means being choosy about employers too.
2.) Implement excellent free software solutions that will be inherently incompatible with any nonsense M$ pushes. The more people satisfied with Linux/BSD, the more people that will refuse this rubbish.
3.) Don't buy any hardware that supports any standards they dream up.
4.) Come up with our own open hardware/software security model. Be innovative. Find a way to make security and encryption easy for the average user.
5.) Spread the word to the non-tech folks. Use propaganda if needed--fight fire with fire.
Take another look at the criticisms being voiced. The issue is whether this really has anything to do with security, or more to do with providing an architecture to lock out competitors and control, or eliminate, fair use rights.
Microsoft's insecurity woes have little to do with encrypting signals between your keyboard/monitor and the computer. Signed code also misses the issue. The problem is that Microsoft has a long history of bad implementation and flawed architectural design. Environments that will remain flawed even as Microsoft moves on to their next Big Thing.
This casts further doubt on Microsoft's intentions and even ABILITY to provide a secure architecture. This is not entirely a technical issue. This has as much to do with Microsoft's culture and focus as it has to do with their engineer's abilities. There has to be a fundimental shift within Microsoft such as changing the focus on last-minute features at the cost of debugging. And that is a challenge for even a company as nimble as Microsoft.