Slashdot Mirror
Will Microsoft Code-Checking Plans Cripple the GPL?
Infonaut was one of many readers to point out that "Thomas C. Green at The Register seems to think Microsoft is after far more than the 'ubiquitous security' they're pitching to the mainstream press. In this lengthy article, he contends that Microsoft's latest plans are in many ways an attempt to kill Linux by rendering GPL'ed software unusable. Yep, that's freedom to innovate, I'd say."
Don't worry about Microsoft. They're on their way to being a footnote. I chuckle that they think that when forced to choose between MS and GPL, people will go with MS. That's not a safe assumption to make... not a safe one at all.
Just keep coding. Millions of happy hackers > politics and license agreements.
Hell is being intelligent in a world full of idiots.
The general thrust of the article is that under the new security system, GPL programs will not be able to be "trusted" by MS' hardware/software security system, so GPL based systems (like Apache web servers) will become unusable with mainstream computers.
I doubt this will happen.
Because, frankly, the invisible success of opensource is too widespread. I haven't looked at server statistics recently, but a significant percentage of webservers run on some manner of opensource program. Microsoft isn't going to be able to force half of the web servers in the world to switch over, and if people know that buying this new board from MS/Intel (which has few tangible benefits) will render half of the internet unusable, nobody is going to go for it. I'm not even beginning to think about the various governments that have begun to standardize around Linux, the opensource core of Apple's OS X, etc. etc.
Frankly opensource is too big. If Microsoft renders its systems incompatible with the GPL, then it will be Microsoft, and not the OS community, that suffers.
I say, let 'em try.
In Capitalist America, bank robs you!
However this time they really win the game if they're succesfull. This is because if they can really implement this, they actually don't have to do the work of bastardizing the standard interfaces, they've inherintly done it.
What they're trying to do is make it so that a common interface is a MicroSoft interface from the start.
How many antitrust lawsuites do they want brought against them? I guess $30B can buy a lot of lawyers.
"Everybody knows the moon's made of cheese," Wallace.
This means that they have weighed in all the involved costs (migration, maintenance, training and so on), and they are not likely to go backwards to a proprietary M$ solution in 5 years (which would involve another heap of money for training, data migration, etc.)
Since M$ is not going to release any major rework of its flagship OS for the next 5 years or so, I see a chance for Linux and other free software OSes to dramatically increase their respective user bases in the meantime. And if the users turn out to be major organizations / administrations / companies, they will be in a position to negociate an open-source (or at least, much less restrictive) alternative to M$ Palladium from the contents providers / secured businesses they might have to deal with.
Just my 0.02 euros anyway...
In Soviet Russia, our new overlords are belong to all your base.
I think its a chicken or egg problem.
If there were no PC's, this scheme might work because there is no "untrusted" installed base.
But since there are already billions of PCs out there already that can't or won't work with this scheme, they it can't be adopted because a merchant or web site owner would risk locking out huge portions of their customers.
This reminds me of the whole Passport authentication scheme that had everyone in an uproar last year. In the end it amounted to NOTHING because it never had critical mass.
I agree with most of the analysis, I just don't think anyone has enough control over the computing ecosphere to make this work.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Why does everyone always assume that all of Microsoft's actions have a sinister undertone in them? I admit, I will look at these new security measures by MS with scrutiny, but I will give them the benefit of the doubt.
The reason I say this, is that I do technical support for a local ISP, we have both Unix and W2K webservers on our system and a couple thousand customers that don't know the difference. I would say that most people wont even know they are getting these boards whent they purchase a new machine. Then they will be calling me up to find out why they cant view their favorite webpages. The answer, "Your hardware is restricting your access to the site" is just going to blow right over their head, they are not going to understand why. They are just going to be pissed at us for not being able to help them, probably switch to AOL or something before they find out the real problem, but by then it is way to late. They will just deal with it. Complacency is the name of the game, this is the same reason why companies offer rebates, because a good portion of the customers are not going to bother doing anything about it. Sure some will, or try to return their hardware, but most will not, they will assume it is the new standard and everyone else will have to change to meet it. After all, their stuff is brand new, how could it be wrong?
If it won't boot, Fsck it!
you have a chip ON THE mobo that tells you if you can run an application. what if you're disconnected from any network? the chip must have some key that, applied to the application, will make it usable. Or will decrypt the application. Or will act as a general key to allow the cpu to run some code.
.NET thing. Just marketing hypes, nothing else. We've all seen what .NET has become... bugs even before it was launched. Palladium is just a way to scare vendors which would like to try linux.
;)
Still, it is something you have ON YOUR MOTHERBOARD. Like the CSS key... it's there, it will be just a matter of time before those evil linux users will find a way to bypass it, fake it, and run whatever they want. Bringing havoc on the pristine, certified, public-key signed microsoft world. Like a cancer...
....or at least I hope so. I have much more trust in a 15-years old linux north-european user, than in any chunk of Microsoft Engineers that live in their golden world, without Windows (hah! pun!) on the outside world.
However, this palladium-thing looks like the whole
Those guys at Microsoft are just playing the scary-announcement thing: to scare people before they make the next move. Then make them wait, then provide them a lot of useless marketing, then -before they will realize it- they have been embraced. And the empire extends itself.
Whops! sorry folks, I don't believe a word of this palladium thing until I see a working chip, and I see that it works better than current systems. THEN we can start talking about that, and hacking it. Unless the new DMCA won't make it illegal and punisheable by death
cheers.
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
This is the Steven Levy who has been writing about computers for two decades now, whose books include:
Obviously, with titles like these, he must be an ignorant Microsoft toady. On the other hand, Thomas C Greene, who has never spoken with anybody involved with the project, knows everything about it and what it is really about.
Let's be honest here - Microsoft has trouble on it's horizon.
Microsoft has sold a lot of Windows 95 and Windows 98. And sad to say, these so-called "operating systems" are good enough for my mom and dad (and sister and grandfather and girlfriend and boss).
Now what? What is Microsoft releasing that would convince my family to upgrade their PCs? To be honest, nothing but hardware failure will convince them to do that. They're happy with their 5 year old PCs, and such longevity is sure to hit Microsoft's bottom line.
The answer? A new security scheme that makes it impossible to run new programs on old hardware. A scheme that also negatively impacts unauthorized vendors (including "open source"). And a scheme that forces users to upgrade on a period basis just so programs will work.
Let's be honest - microsoft has some of the best business people in the world. And they're smart. They recognize this issue and plan to leverage it for profit.... not for innovation or customer experience.
The answer? Disable Outlook - in my opinion, Outlook is the biggest computer security issue ever. It's a nice email client (in general terms), but the security issues have been out of control.
A quote from the GPL:
:)
"6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License." (emphasis added)
As there is no specific mention that the GPL applies only to source (it applies to computer programs, including binaries and object code, as specified in section 3), one can only take this to mean that forcing it to comply with Palladium would be imposing further restriction on the users ability to excercise the rights given to them by the GPL. This is itself breaking the GPL.
Just something for the GNU friendly legal types to chew on
Now sound or video hardware that looks for signatures, that's another, harder problem
-- ac at work
Microsoft has enough money and enough clout that something like this getting implemented is a real possiblity. Switching over to a different OS might be feasable for some people, but for the vast majority of users, it is not. If palladium is implemented and microsoft does succeed with it, what will happen?
Since we will lose alot of interoperability, the computing world will be split into microsoft and non-microsoft which end up roughly indipendent from eachother. As I see it, there are three possibilities depending upon how deeply the hardware manufacturers and government get invoved. Either those who use microsoft are cut off from those who don't use microsoft, those who use x86 are forced to use microsoft (or at least their authentication system), or it becomes illegal not to use the system and everybody is forced into microsoft's death grip. None of these possibilities are very appealing.
The only way things won't completely suck is if this is never implemented, but if they have as much industry support (and presure from the bill formerly known as SSSCA) as I think they do, then the outlook doesn't look good. That is why microsoft's power should be limited, why they should be punished, and why they need to be monitored to prevent them from doing things that are anti-competitive (even if not overtly so). That is why I hope that, in the end, MS recieves at least a slap on the wrist from the antitrust suit, if not something slightly more meaningful. Of course, with Bush in the white house, I have serious doubts...if only more people realized that just because something is good for a big company doesn't mean that it is neccesarily the best thing for the economy or the citizens of the country...*sigh*
That's gotta be the most polite request to cease and desist that I've ever read.
The "safer" way for Microsoft, is to make their next version of Windows warn you whenever you try to do something "unsafe". Imagine if each time you connect to a webserver not running this security stuff, you get a window saying that you are connecting to an insecure site and that you should ask the site operator to upgrade to a secure system.
Then give users the option of blocking unsafe sites permanently.
Then after somewhere around 70-80% of all systems are "secure" they issue an upgrade that make your machine refuse to deal with unsafe data by default, hiding an option deep down in Windows to allow it. Possibly allowing you to "self authenticate" old applications.
After a while, you then make the authentication mandatory.
This has the possibility of working, if they aren't met with solid opposition from the start, and if they have the sense to do it gradually enough to not alienate too many people.
Keep in mind that Windows is based on obsoleting things. There's so much old software that stops working between versions of Windows, that that argument simply don't hold - your Windows software WILL become worthless sooner or later, but people still stick with it.
And as for switching to Linux, you might not have that option, as the entire point about Palladium was that it is mean to be enforced in hardware via alliances with Intel and AMD (for now).
Microsoft may be evil, but they aren't stupid... People can't afford to take the risk of discounting their ideas.
Think about this in conjuction with their plans to make Longhorn debut in 2006 as a radically new OS. Do you know what "radically" new says to me? It says completely incompatible. And not simply with Unix/Linux/et al, but with former Microsoft products as well.
Bear with me for a minute.... let's say for a minute that Longhorn is to Windows XP what Mac OS X is to OS 9 - a complete rewrite, completely incompatible, and arguably 100 times better. But adoption is slow. People are entrenched in thier current OS of choice, OS 9 or even 8 for some. So when Microsoft prepares to move the masses to their radically new OS in late 2006, a great deal of segmentation will occur.
Now let's pretend that Linux is ready for the masses (on the desktop) by 2006, and it has a stronghold in the server market. Now you're looking at two paths (at least for corporate types): 1. Continue to allow MS to shove upgrades down your throat and keep following the Windows donkey cart. Further, subject yourself to the new DRM of Longhorn and face issues of your free software and possbily other commercial software (IE Oracle and other DBMS) not working correctly. 2. Switch to Linux or maybe Macs. When companies are forced off Win 2k/XP and forced onto Longhorn via MSFT, we'll see how many are willing to comply. Continuing to use XP/2k may not be an option, but ditching MS entirely may be a reality in 4 years.
I know it took a long time to get to my point but it's a complex issue. Far more complex even than I have portrayed above. But seriously, I think MS is going down a road to making themselves irrelevant. However, never count out the power or marketing! What MS lacks in software reliablity they make up for with a powerful marketing department and an unfortunate following of corporate weenies.
If MS starts this scheme in 2 years, it will take another 7 years until 90% of their users have it (and that's still not enough because 10% is still too much to lose).
Microsoft can afford to take the long view. The biggest driving force of Palladium/Longhorn will be the DRM technology. People want to consume media and the media companies will require rights management. The media companies can also afford to take the long view. They only need to keep crushing P2P upstarts through sheer weight until the laws and technology to support DRM are widespread.
If only "trusted" apps running on a "trusted" operating system can play music and video, then people will buy those. Remember the vast majority of people aren't interested in their rights - and before anyone starts, I didn't see any groundswell of ordinary people defeating the DMCA.
There is no "Linux" to defeat this. There are only distributions. The big commercial distros are the ones that will end up on ordinary people's desktops and they can either play along or not play - it'll be that simple. When it comes to pleasing shareholders I can guarantee that they will chose to play along.
You just can't afford to be complacent on this issue. This is the biggest failing of the Open Source movement - there is no movement, just a bunch of people writing open source software. This works fine when there's no threat to the freedom, but when there is there's no organisation.
The closest thing free software has ever had to a movement with principles and goals is the Free Software Foundation - and look at how ridiculed RMS has become.
People like sitting on their butts and whining a lot more than they like actively campaigning.
Put a patch in the os (isn't open source great - you can't do that with closed source) that intercepts all bios calls, and gives back the response you want to give.
Next, we'd see patches for flashing the rom to disable the mobo code - again no problemo!
The only people who wouldn't be able to accept this solution are proprietary os loosers^H^H^H^H^H^H^H^Huseres.
This way, you can even imitate another user and pc by copying their hash key - talk about yet another gaping security hole.
Now you won't even have to root their box to own them
I guess this is Bill Gates latest insecurity model
Micro$oft - you fix it, they break it in the next version!
Embedded security into a hardware device to restrict its use? Sounds similar to me.
:)
I wonder how many firmware/BIOS patches will show up that disable or fool the hardware device like how you can disable region locking in your DVD drive -- not that I would ever condone such behavior
Suncoast Linux - Sarasota, FL
Here's why:
Paladium is pure speculation by Microsoft. They cannot afford to release this to the public, because they would lose their monopoly on desktop operating systems if they did.
The society for a thought-free internet welcomes you.
What is the free equivalent to this? I propose the following:
Microsoft is banking on the fact that companies will trust it to authenticate good software because they trust the Microsoft reputation. Historically, Open Source has developed its trustworthy reputation by banking on actual users who state that the software is trustworthy.
So here is a Free alternative to Palladium - a public trust clearinghouse. Much as DCC authenticates spam, and the GPG repositories authenticate public keys, a public trust clearinghouse could be an expression of the corporate trust of software.
As an example, imagine giving each member of the Wilshire 5000 a number of votes equal to 10000 minus their position in the Wilshire 5000 (IE, the biggest company gets the most votes). Each can submit any mix of those votes to the "trust this software" and "don't trust this software" bins, and can move them as the wish. New software would have very few votes. Established software would have many votes. The decision to trust could be based on both the number of votes and the percentage of positive votes.
Yes, I think using the Wilshire 5000 is a requirement, because corporations don't trust the general public with business decisions any more than you and I trust Joe Six-pack with firewall settings.
The question then is how to incentivize corporations to participate. Perhaps a license requiring that those 5000 companies submit a certain number of votes per month to be allowed to access the trust repository... just spitballing.
Regardless of how it is done, I think Microsoft has hit on a genuine chink in the O/S armour - it does not have any officially responsible party. Coming up with a way to state authoritatively to business that version 3.142 of SuperDaemon is trustworthy would go a long way to countering Palladium if it catches on. And frankly, I would be far more likely to trust 5000 parties who are objective on average than to trust the manufacturer of the software.
Stop-Prism.org: Opt Out of Surveillance
And, to top it all off, in the past 30 years or so, incidences of stress-related mental illness has increased by something like 500% (I forget which study I read that in, but anyway).
And what do we have to show for it? Do we have more time to spend with our friends and families? No, all we have is a few new toys (although, as a geek myself, I have to admit that they are fun toys). If we see an average person working one day a week and making enough money to support themselves and their families, then that would be a massive improvement in quality of life.
In fact, we have seen the opposite; the two-income family is so common that it has become difficult to be one-income anymore. The quality of life has decreased enough that the average two-income family now lives about the same as an average one-income family in the 1920's.
Remember, those who do not understand history are doomed to repeat it.
Hardware, software, and blinking lights!
THe real reason why Microsoft is doing this is they want to be the DRM gatekeeper. All digital media will end up going through them, and they will come up with new standards and schemes to get a percentage on all of this information. Look at the new Mpeg 4 standard - they are planning to charge for the data stream. It's where MS wants to go today.
Killing Linux and the GPL is an added benefit.
-asb
A message to all open source, or any, developers out there, "Do not make this work. Do not try and hack a Linux solution to make this work. Make sure your stuff doesn't work with this new system. Make sure your site doesn't work with these whacked mobos. Do not allow Microsoft to succeed."
If we hack out a solution that will kinda sorta allow Linux to function in this system of stupidity, we will be forced to deal with it for ever. The best way to fight this latest attack is to make users uncomfortable. Don't allow your apps to run on systems that MS has locked down. People will quickly get pissed when they can't get to their favorite pron site or whatever.
1.Intercept the bios calls, and return whatever you want, including "signed" data. Or return nothing. Or return values you've sniffed from someone else's box.
2. Back up your bios first, then look through the bin file (doing this on 2 mobos with the same bios, and running a diff will give you the bios key)
3. If sites don't allow people in who aren't authenticated, this means that, eventually, as authentication becomes all-pervasive, unauthenicated users will become "invisible". Once nobody will be able to see them, and nobody's checking for them anymore, they'll be able to roam the net free of constraints.
Also, we could run the data stream through a firewall that could strip out any key data, or replace it with whatever we want.
There are also privacy concerns that would require that the ID be able to be changed, or deleted. You can be sure that the NSA, etc., will insist on a back door for their "trusted users". How long before someone else finds it?
If you don't think people will be able to do this, check out how many are using hacked satellite TV cards.
Hailstorm failed for one BIG reason: No one in their right mind trusts Microsoft with security sensitive data. Corporations from AmEx to the average joe consumer didn't buy the claim that Microsoft would protect all this confidential data.
Now, we are to trust Microsoft to develop an all encompasing security platform? How do those bone-heads at Microsoft Marketing/Engineering think anyone at all will buy into this?
It takes a very long time to build security into your products, and an even longer time to build trust with customers. Microsoft has not done either, and this security platform will fail without the support of hardware vendors, software vendors, and people like you and me.
-ted