Slashdot Mirror
Will Microsoft Code-Checking Plans Cripple the GPL?
Infonaut was one of many readers to point out that "Thomas C. Green at The Register seems to think Microsoft is after far more than the 'ubiquitous security' they're pitching to the mainstream press. In this lengthy article, he contends that Microsoft's latest plans are in many ways an attempt to kill Linux by rendering GPL'ed software unusable. Yep, that's freedom to innovate, I'd say."
There must be a way of using in-house software by self-signing it. Can't people wanting to use GPL software just do the same?
In-house is irrelevant. That's not what this is marketed/designed toward. What MS is attempting to solve here is "how can I trust party X out there? How do I even know that party X is party X? And how can I trust party X not to share my private information with party Y?"
It is, at least on the surface, a noble goal. There's still a lot of people out there that aren't willing to do transactions over the net due to security concerns. And even those of us who do use the net to do transactions know that there's pretty much nothing we can do about step 3 above -- if someone decides to share my personal data (be it my name, my address, my credit card numbers, or my social security number), there's pretty much no way in hell for me to ever track it back to them.
The problem is, these are tough nuts to crack. That's why they haven't been fully completed yet. Microsoft is taking the stance that the only way to do it is to have a centralized authority, hardware encryption, and trusted systems. The problem with this is that it must be closed source. You cannot open the source up, nor can you allow people to "self-sign" -- doing so just means that Joe Cracker can say "yeah, I'm trusted - give me your info" and the system will. Because it's designed that way.
Of course, there are a plethora of other issues here... privacy advocates will immediately scream about a centralized database of ALL the private information. Think the credit bureaus are bad? You haven't seen anything yet. And, afterall, we're talking about Microsoft here -- they don't exactly have the greatest history when it comes to security. And this isn't the kind of thing you can release and patch up later. It must be virtually air tight from the very beginning, or else you won't be able to guarantee the system as a whole (good luck patching that security hole on the embedded card reader over there!).
You are right - this is NO surprise. So what can we do about it? Well, first of all, we need to get some hackers trained in the letters of the law. I'm a open source developer, and I'm hoping to go to law school next year. Our cause has less of a chance if we don't have well trained technologists who can analyze issues from a JDs perspective. MS has a ton of money to hire lawyers to attack us directly or indirectly, and we need smart people trained to counter that.
smd4985
Given Apache's penetration, and Linux's adoption, what is to say that Linux can't provide all that Microsoft can. I mean, what Microsoft would get is a "Microsoft Network" of computers (incedentally all running .NET) What this OS would tell you is: "No, you can't burn these MP3s, No you can't view that content." Meanwhile the opensource half of the world will have *SOME* DRM capability, which will probably be something like "allow all." Now which OS are you going to pick? The one where the Media Mongers and Monolists control, or the free and open one?
This is just another nail in the coffin for Micrsoft, by Microsoft.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
I think we would all agree this could potentially be a very dirty trick. I may disagree through and through with their plan and approach, but I can't totally blame them. Think about their perspective--
-Linux market share is gaining in every direction which means their market share is at extreme risk of dwindling.
-There is no one company to compete with and/or buy out to remove the threat.
-Even if they were able to keep Linux OS market share at bay, it will still continue to improve because the core development team can and will always exist.
When faced with an enemy they can't beat with their usual tactics, their last resort might just be to try something like this. Attacking from the back door could be their last hope at maintaining their dominance. Make no mistake about it, that is what they have to do in order to keep their identity.
It seems to me that Microsoft has realized the inevitability of software--it eventually reaches a point of commodity and finality. There is only so much you can do with a word processor to make it better. After that you are only complicating it. As the OSS alternatives quickly approach this state, there is no need to use the expensive version anymore.
Regardless of their initial intentions, it might be safe to say that if MS sees GPL and Linux suffering from this endeavor, they will try all the harder to push it. Be wary of any company that has everything to lose and plenty of resources to try and keep it.
Tomas Greene's article is as much FUD as anything else.
Microsoft has to get their technology onto the chip before anything else happens. Do you really think Intel and AMD are looking to get rid of the Linux market? Do you think IBM is going to let Microsoft kill the Linux market?
Second, any DRM support would be built into the kernel (probably as a module) or a library. Applications would call the kernel or library functions to perform rights verification. So, only the kernel (or kernel module, or library) would need "certification", not each application.
Third, there is and always will be a huge need for custom software for in-house applications. There's no way anyone is going to be able to require every company in the world to certify every one of their in-house applications. Therefore, there will still have to be non-certified, unprotected (or differently protected) channels.
Digital rights management will primarily affect applications that specifically request rights verification from the OS. Applications that don't request verification won't use it and won't be affected by it. Plenty of applications and network services will be happy to communicate with each other without DRM.
If anything, strict (cumbersome) DRM may actually drive more people to open source software. When people are getting nickled-and-dimed by every piece of software they use and every piece of media they review, they'll look for other options.
Ya know, the more big media (and big biz in general) talk about DRM (essentially copy prevention), the less interested I become.
Occasionally, big media has come out with some real gems (like LotR:FotR), but frankly, most of it is crap. I used to listen to the radio for music, but I'm not too impressed by most of that either. Now all I listen to is NPR and an independent dance music station.
They can go and use all the technological means to protect their product (as opposed to art). As long as a few of us can still communicate together, I can keep using free software. As long as people still know how to sing and play, I'll still have music to listen to.
Maybe I'll still go to a movie in a theater once in a while, but I'm just about finished with big media. The more effort they spend to protect their products, the less significant it becomes as art.
Im not the slightest bit worried about it. It wont happen in that way. Its just paranoia. Remember back long before XP came out, and everyone was talking about how horrible XP was going to be because it was going to only allow you to run digitally signed applications? Didnt happen, and it wont. The average joe user wants to run fun little $5 and $10 games and apps that they download (think card games, personal diaries, system utilities, etc). They want to run these cute little freeware screen savers that friends email to them. Its not going to fly.
The article talks about digitally signing everything, all purchase transactions, etc. Again, it wont happen. People want to provide as little identification as possible when they are browsing porn sites, and face it...porn is pretty darn popular. So at the very least, you are going to have to leave open some holes for certain things to happen. But once you leave a hole open in your ship, there isnt much you can do to stop if from sinking. One hole is all virus writers and spammers need to get the nasty stuff through.
And doesn't anyone at Microsoft remember what happened when Intel put a simple processor serial number in their CPUs? People bitched up a storm about it. And that wasnt even a personal identifier (it identified your CPU...and if you changed CPUs nobody would know). Now they are talking about something that would identify you personally? Not gonna happen.
And another thing, did Microsoft even collaborate with anyone on this? I know they have agreements from Intel and AMD to manfacture chips, but as far as I can tell from everything I read, Microsoft has masterminded this whole thing on their own. Ignoring for the moment the fact that I dont think consumers will adopt the idea, I dont think Microsoft could be successful in addressing all the necessary issues on their own. Even if 50 of the top companies got together and tried to come up with something like this, it would still be extremely difficult for them to come up with something robust, secure, and that addresses all future possibilities. If Microsoft is masterminding this on their own, its going to be a million times more difficult to do so.
Let me explain:
IMO, the only thing that keeps Windows going is that people have so much software lying around that they have a hard time switching.
Now if the first PCs with this limitation come to the market that force you to replace all your software many would just switch to Linux because your software will become worthless sooner or later if you stay on Windows.
And if Microsoft is stupid enough to enforce Palladium in their OS, Wine/Linux will have BETTER WINDOWS COMPATIBILITY than Windows itself.
The author of the linked article states that even with GPL'd source code, the binaries you build would not work because they aren't certified. How, then, would a developer develop anything if they can't run binaries? Or would all binaries run under the same cert on a particular machine? This whole scheme seems to be simply unworkable.
It's struck me before that what we need is a "rootless" Linux distro.
One of the main obstacles toward using Linux is installing software. Whenever I try to get my friends to switch over to Linux, and I'm talking about experienced computer users with Unix experience, the inevitable huge stumbling block is "well how do I install anything?"
What Desktop Linux needs is a semi-protected mode (no login) similar to the priveledges of the default Windows user, you can change settings, install software, view the whole directory structure, but you can't change anything that would cripple the system to the point where "click here to restore default settings" (another option we need) wouldn't fix everything.
Linux software should be as easy as download to the desktop -> click to install. Right now the learning curve of linux has been pushed back only a few steps, it's easy to setup a default config, and use the web and email and anything setup by the distro, but you still have to learn all sorts of crazy convoluted things to do anything beyond that. The difficulty of a task shouldn't be greater than the task's complexity.
Once that is done, someone needs to write a book/series of visible articles entitled "So, you're tired of paying Microsoft $100 per year"
In Capitalist America, bank robs you!
If no binary can run without certification by some outside agent, it follows that users can't write programs and run them without getting them certified (If they could, there'd be no worries about Open Source). Good god. Can you imagine what that is going to do to my debugging efforts?
This scenario is not going to happen. Because even mostly clueless M$-running people will listen if you say, "Hey, you realize that if you run Palladium-based architecture, your darling children won't be able to use their computer for some very important learning purposes."
Read Bujold. Free (as in
Can you imagine having to have corporations sign their own apps (NOT!)
This does make some sense -- we get applications all the time from parent/sibling entities. Naturally we trust them because we're part of the same overarching business entity, but should we?
It might also have value for internal security if the signing mechanism allowed for hierachical keys and a true cryptographic system. As an added layer of security an application or data might be completely encrypted unless your machine/key decrypted it.
I think it might appeal to some IT organizations which have third-party security concerns (defense, healthcare) but I think it might also just seem like a lot more baggage than necessary to other IT organizations for whom security is a more secondary concern.
Oh really?
Of course they won't make new PCs refuse to run unauthenticated binaries right away. That would of course kill them. The "safer" way for Microsoft, is to make their next version of Windows warn you whenever you try to do something "unsafe". Imagine if each time you connect to a webserver not running this security stuff, you get a window saying that you are connecting to an insecure site and that you should ask the site operator to upgrade to a secure system.
I imagine lots of pissed users and lots of suspicious users and lots of users who have lost their confidence that the next Windows will allow them to pirate.
A message like this can be translated to: "Microsoft is watching you" - Thing is, people don't like to be watched when they download warez, mp3s, porn and divx-movies.
People will avoid any system that has sub-par mp3/porn/divx/warez capabilities and will switch to something else (*gasp* Linux) if Windows loses these capabilities or gives hints that the next version will lose them.
And as for switching to Linux, you might not have that option, as the entire point about Palladium was that it is mean to be enforced in hardware via alliances with Intel and AMD (for now).
Linux runs the majority of servers, so Intel and AMD will support Linux, no matter what Microsoft sais.
Microsoft may be evil, but they aren't stupid...
LOL. Yeah, that's why I see Hailstorm-websites all over the web. And Bill Gates surely didn't say anything stupid when he claimed "Internet will never be popular [and will get killed by proprietary MSN]". Or look at XBox which is the most innefficient and expensive gaming system on the planet. Microsoft is the only one losing huge amounts of money, yet they are at last position compared to Gamecube and PS2.
Face it: Microsoft is probably the most incompetent company in IT. The only thing that gets them going is endless backwards-compatibility with their x86-desktop domination. (which dates back to 1981)
People can't afford to take the risk of discounting their ideas.
Wrong, people should start discounting their ideas.
Microsoft marketing works like this:
"We will release product xy next year"
Then people LIKE YOU come around and scream "the sky is falling!", "Microsoft is evil", "boycott this product, it will destroy competition!"
To Joe Average this all sounds like "Product xy will become the standard and all alternatives will become unsupported." -> Joe buys product xy. I wonder how many people have bought a XBox because they thought it would become "the standard" which was told so often all over the net. It's amazing how XBox sales figures dropped after it became clear that PS2 won't be dethrowned. Even in the USA XBox fell behind Gamecube.
Nobody likes to be a mayrtyr, people like you are Microsoft's greatest marketing asset. Actually they don't have to do much marketing, people like you do it for them.
I'm very thankful for Microsoft releasing the XBox, because it will fail so badly that Microsoft will lose their standard-setting image. (Microsoft had many blunders in the past like Windows/Alpha, MS Bob, Hailstorm, etc. But XBox will be first the average customer will know about) In the post-XBox era, Microsoft will have to actually deliver something more than a press release to convince people of future standards.
There's a computer available, that doesn't use AMD or Intel products, so it's immune from Palladium.
:D
It's got a 500MHz processor, PGX64 graphics accelerator, 128MB of memory, a 20 GB 7200 HD, Ethernet, floppy, 48X CD, smart card reader, and... Solaris 8 Pre-loaded? All for $995. (Yes, that's a SPARC processor).
To me, it looks perfect. We get a high-speed 64-bit RISC processor, really the only RISC architecture that hasn't morphed into Itanium (poor Alpha); we get reasonable basic specs, and just about everything short of the proc/mobo can be upgraded with standard parts from Pricewatch; and finally, because Freedom is of the utmost concern, any version of Debian that you can run on x86, you can run just as well on Sparc.
And if that isn't enough, if you absolutely *need* to run Windows applications for some reason, in addition to using Bochs, there's another option. If you don't mind keeping Solaris on your computer alongside Linux, you can even buy a $500 PC-within-a-PC card, with a 733-MHz non-Intel x86 processor; because it lets you run Windows and Solaris apps side-by-side, it's essentially a perfect cross between VMware and Wine.
Don't know about you, but my next computer's a Sun.
I do wonder what Microsoft would think if large numbers of people did this. On the one hand, they might love it; if all the Linux users bolt to SPARC, then Microsoft is left with 99.999% control of their platform, complete control for computer built in the last 3 years, and the power to make hardware manufacturers do whatever they say. On the other hand, it means that their Windows-is-better-than-Linux arguments now have to account for the fact that Linux is running Sparc, and it becomes that much harder to get Linux users to switch back.
And for us, it means that the ugliest and slowest port of Linux, that for x86, is all but gone; and most time will be spent developing one of the cleanest, SPARC.
the other issue i see is installing from source. unless you can make this a double click graphical process, people wont do it. its as simple as that.
i think what linux needs is something to complete this equation...
Aqua enables Unix like...
XXXX enables Linux.
just look at what Aqua and OSX are doing for Unix, theyre getting real people(pun intended) to use it, after it being around for decades.
that and users dont want to hear about kernals or CLIs or anything remotely tech related. they want to poke at pretty buttons and make things 'magicly' happen.
I want 2D games back.
http://www.extremetech.com/article2/0,3973,282114, 00.asp
"However, the AMD-Wave whitepaper also postulates the need for multiple protection schemes, something that Microsoft's limited public statements have not addressed."
looks like AMD had this idea 2 years ago,
Lapey