Slashdot Mirror
Coursey on Palladium
lrose writes "Check out this story over at ZDNet -- Microsoft is developing a secure operating system to be combined with hardware doing public key cryptography. The DRM aspect reminds me of something I read about an imaginary day in the not-too-distant future, where you can no longer install Linux on your own box because you don't have the necessary rights." Coursey's column is quite interesting, bringing a lot more of the backstory behind Palladium into public view. While geeks have been following and worrying about the TCPA, Microsoft has been working to spin the story with assorted columnists and journalists, so that when it broke it would be in the context that Steven Levy bought into hook, line and sinker: a scheme to protect you rather than one to prevent you from using your computer in unapproved ways.
Which they can. If new systems come Palladium-enabled, don't buy them. Unless you're a hardcore gamer, what would you need an 8GHz system with 2gb ram and 1tb hard drive for anyway?
Best Slashdot Co
I think it would make more sense if such a hardware crypto device would be viewed as such -- a device. The computer is not "self aware", If you were to install another OS on it, and it didn't have a driver for it then you won't be able to take advantage of the device. Just as if you have a video card that supports 3D acceleration but you don't have the proper driver. You can still view stuff but can't take advantage of the extra functions.
On the X-box? You can only run signed programs. Modifying the X-box is a circumvention of a device that's illegal under the DMCA. All Microsoft has to do is port Office and IE to the X-box and voila. Dump Windows and get the masses using X-boxen for their secure and safe computing needs....
Baz
Remember, Trusted Computing means that large corporations get to trust your hardware because they don't trust you...
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Where in this article, or the previous articles, does it say that the hardware would not let alternative operating systems be installed? Will only operating systems that use the key embedded into the hardware be "allowed" to install? And if so, how the hell can they accomplish this? It seems like if you can install linux or an older version of windows without using the public/private key stuff then it isn't as much the horrible linux-killing initiative some make it out to be. I'm not trying to troll, flamebait, etc., I'm just curious.
One concern I have about widespread distributions of current technology cryptography would be reliance on crypto that is based on difficult (and theoretically complex) calculations. If the only thing that keeps public crypto safe is, for example, the difficuly of factoring, it's safe to say that advances in technology will likely render that difficulty less implausible and more accessible. As Avi said (paraphrase): I want it secret until man is no longer capable of doing evil.
Naturally, this is not an argument for an anti-crypto position. It is merely a caution for overreliance on the secure technologies of today.
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
And (barring their joining the TCPA at some later date) that appears to be Apple at the moment.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
Kinda makes mac hardware with yellow dog or OS X seem like an attractive prospect, huh?
1984 was supposed to be a warning, not an instruction manual.
Actually I would think that there are some motherboard manufacturers out there that would give us a nice little BIOS switch to turn it on and off. Hell, my last Gigabyte board came with a Windows utility to overclock it (never worked but it was a nice try).
Other hardware vendors aren't going to incorporated that code into non-updatable hardware chips. It'll either be software or the chips will be flashable. In either case somebody will hack it.
Alright, it's simple, we DON'T have to upgrade to Palladium... but Microsoft has a way of incorporating *just enough* (except in the case of ME) incremental improvements to make it worth our while. What if this is the watershed Windows platforms that finally delivers on all its promises? Across the board, including security? I'm afraid far too many people, people who even ordinarily would know better, might be enticed by that. But seriously. This definitely warrants a serious grass-roots counter-PR campaign. I'm certainly game. *grin*
ShaunDon
"I swear I way more than half-believe it when I say that somewhere love and justice shines" - The Weakerthans
Fair use only prevents them from giving you legal grief for using the technology. Nowhere does the law say that they have to make excercising your fair use convenient.
It's like car stereos: Ford can't prevent me from swapping out the junk stereo they put in my car with a nice non-ford model, but if they don't put a DIN opening in the dash, it's gonne be really inconveniet for me to do so. Nobody says they have to make it easy, just that they can't sue you.
1984 was supposed to be a warning, not an instruction manual.
Interesting idea, but according to Goodwin's Law, the first party in a discussion to mention "Hitler" or "Nazi" has lost the discussion.
I wonder if the law should be updated to include "terrorist"?
From the: Quotes-to-cringe-by dept.
MICROSOFT PROMISES--and I believe that they're serious--that users will control their own personal information.
Since when? Since when do people trust M$, the company that has time-and-again said that software is secure when it's not, that they provide customer support when they don't, that they're not trying to be a monopoly when they are, that they're not strong-arming 3rd party manufacturers when Craig Barrett is clearly wincing? If the EULA doesn't scare you yet, you aren't paying attention.
But how this plays in the real world, where users often have very little power, remains to be seen.
Ah, maybe in your little world of sheeple, but folks like me give ourselves power through OSes that don't patronize.
Microsoft has one key factor in its favor: the growing realization among its customers that we must do something, and that tomorrow's digital devices--and I'm talking much more than PCs here--need the trustworthiness that Microsoft claims Palladium will offer.
I think he's missing the boat on this one. Users don't give a rats banana about trust, or they wouldn't be using passwords like "mypassword" when checking Hotmail. They simply don't care about that. What they care about is the *big*bad*unknown* screwing up their ability to email, type letters to their friends, and have cybersex on AIM. If their OS provides that, they're fine. Trust is marketing B$ for "we're gonna cuddle you like a foster parent and shield you from the big bad world."
But is the world ready to trust Microsoft on something it has such a hard time explaining? and implementing, and supporting, and documenting, and....
Holy smoke-n-mirrors, Batman.
Blog,Twitter
It's inevitable that computers will become appliances. Anything which is marketed to, designed for, and used by the masses will eventually become simple and easy to use, and probably a commodity unless one company holds a monopoly on its production. The original Apple was the first step; this is merely another.
But that doesn't mean computers won't exist to hack on for amateurs. Did the CD eliminate HAM radio, or the amateur musician? Does an electronics geek bemoan the fact that he can't put together his own DVD player, or does he spend his time doing more interesting things? When computers become appliances, they will become boring.
It also doesn't mean that professional computing will go this way. To use the same analogy: do you think a radio broadcasting station uses an off-the shelf CD player? Do you think they go to Best Buy, see the low-end consumer hardware sold there, and say "Damn, I need something better, more customizable, but I guess I just can't buy it anywhere." Professionals will use professional products, and that means many things: high quality, no frills, and expensive. Microsoft will NOT be able to convince any computer professional to use this "Palladium" crap for a server. They won't even try. They will probably have a server OS which can serve Palladium-enabled content; but that won't be the only option, unless it's so good that it's all professionals want.
The readers of Slashdot are all amateur computing enthusiasts, and many of them are computer professionals as well. We may end up using a commodity computer appliance, just like the rest of the world; but our Linux boxes will always be around to hack on.
Ross Anderson's paper should be required reading. But then that's just my HO.
Just what is so untrustworthy of the PC platform? NOTHING! The platform itself is just fine for what it is supposed to be. It's the software that makes it untrustworthy. Or the people managing that software (who allow breaches through social engineering to occur). So adding a new bit of hardware is going to protect us from irresponsible people?
IBM's computers are not considered untrustworthy. Is it because of special security hardware? NO. It's because the operating systems are written with security in mind from the beginning and not bolted on afterwards. Similarly, other platforms have been considered trustworthy without requiring custom PKI hardware. Wasn't it a system running VMS that resisted all attempts to crack it at the last Defcon? No special security hardware is part of an Alphaserver.
Why has security, all of a sudden, become a hardware problem. Well, Microsoft tries to paint the PC platform as insecure and untrustworthy in an attempt to divert attention from the fact that it's been their software that has been the reason for all the security breaches. The hardware vendors go along with this because of the lure of future CPU and systems sales. IMO, the purpose of Palladium (and TCPA) is to solve an economic problem for some software and hardware vendors.
Remember, Microsoft decided that the best way to deal with the security problems with their software was to hire a lawyer to be their chief security honcho and not someone with extensive credentials in computer security. Rather telling, eh?
CUR ALLOC 20195.....5804M
I don't think he predicted this exact scheme, but he was spot-on about the general idea, I think.
Remember, IE wasn't the "standard" until one day we all woke up and Netscape's market share had vanished thanks to bundling. If MS makes every Windows client behave just a little bit differently from the norm and pushes it out there, one day we'll wake up and the entire Internet will be a MS-only world.
It's the same with hardware. When your software drives over 90% of the desktops in the world, if you build software that is symbiotic with validated "trusted" hardware the hardware vendors will design for it. Your typical motherboard vendor could care less if Linux runs or not - they want the portion of the market that runs Windows. They'll do what it takes to get that vaunted Windows seal on their box.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Microsoft steals OS components from non-GPL sources and never admits it (TCP stack from BSD)
Apple develops software to assist you in ripping your CDs, mixing them to your liking and burning them onto new CDs or DVDs (iTunes)
Microsoft "patches" software while changing the EULA to allow them to automatically shut off ANY software you might be running that they feel violates their interpretation of DRM (Media Player)
Hardly seems like parallel tracks to me.
--NBVB
It is a nice theory that it will die and the ISV's will refuse to go along, but in practice, I see this happening; Microsoft will court certain strategic companies who will be asked to publically endorse it, and then will be in a position to dominate specific market niches by the fact they will be able to provide Palladium enabled applications earlier than their competitors. After these other market segments consolidate more, like has happened with enterprise accounting, Microsoft will then buy out the strongest remaining player(s), or choose to give something similar away free to drive the remaining ISV's out of a given target market. That's what they need their 40+ billion in the bank for.
The idea that some software companies would see the threat and all would solidly refuse to cooperate is to be fantasizing and ignoring existing history. Go to the PC Expo I went to in NYC, and see the software vendors there, all shackeled, to the Microsoft "partners" booth. Yes, like Lenin one said, taken into this context, they will provide the rope to hang themselves!
Already the software market is considerably smaller than it was even 5 years ago and the number of products far fewer. While individual companies that survived may have grown, the ISV market as a whole, even adding Microsoft's growth, has actually shrunk considerably in total size, as well as in innovation and new products.
"Slaveware" would probably be more apt. It has all of the connotations, with none of the reactionary bs associated with it. And it fits.
Give it a little more time. I don't think that many XP users have gotten to the point where they've attempted to add or change the hardware on their PC and triggered the XP `you must reactivate' process. Once that starts to happen, I bet you'll hear more users begin squawking.
CUR ALLOC 20195.....5804M
Or maybe I just haven't seen one yet.
Remeber the Anti-DIVX campaign a few years back? That worked perfectly. DIVX (the DVD player, not the codec) was dead before it ever hit the shelves. Why is there not a www.fuckpalladium.com yet? or maybe www.getoutofmycomputer.com. There's no shortage of MS haters out there. This ball should get itself rolling.
All of this seems the same as DIVX - some company telling you what you can and can't do with shit you've already bought. People won't stand for it as long as someone gives it to them straight. All that you need to tell them is "Palladium won't let you burn CD's" and you'll have a backlash on your hands. Even the least tech-savvy users will understand what that means. If I had the time and resources i'd register www.nopalladium.com, but I don't. If everybody puts a link to www.fuckdrm.com on their website, people will get the idea and this will die on the vine like DIVX and the PSN.
Not to be a cad, but how many of us have written a printed letter to be sent to congress on the necessity of internet/electronic freedom? I hate to say it, but they actually pay attention to the letters that come in the mail (instead of tallying the ones by email).
/. readers sent in a letter detailing the problems of every corporate ploy we see here... Or we could be like the French and demonstrate IRL
Why does Congress pay attention to mailed letters? Because the trouble it takes to mail something is equal to the difficulty of mailing in votes.
If 1/12 of the
Anyone want to guess how long until the word "terrorism" gets in somewhere?
Another terrorist attack or two, and Americans will be begging for this stuff. Hopefull that won't happen.
I was at first reluctant into saying this technology is all bad. Its easy to get into an anti-Microsoft jihad.
But this technology is all bad.
I can't believe that MSN article, I really can't. Its a silly spin on this technology that isn't going to last. Here's some stuff from the MSN article on what this stuff is going to do:
"Tells you who you're dealing with--and what they're doing. Palladium is all about deciding what's trustworthy. It not only lets your computer know that you're you , but also can limit what arrives (and runs on) your computer, verifying where it comes from and who created it."
We already have this, its called Public Key Encryption or alternatively Symmetric Encryption. Free Software users already have GNU Privacy Guard at our disposal.
Of course, the downside of this technology is that it isn't too useful over the internet without creating a rather large web of trust -- a very difficult task. I'd like to know how Palladium would rectify this?
"Protects information. The system uses high-level encryption to 'seal' data so that snoops and thieves are thwarted. It also can protect the integrity of documents so that they can't be altered without your knowledge."
First, we already have high-level encryption. And most anti-virus programs 'innoculate' your files anyway. This only sounds like Microsoft is targeting the anti-virus next -- by integrating them into the operating system.
"Stops viruses and worms. Palladium won't run unauthorized programs, so viruses can't trash protected parts of your system."
I haven't used Windows since Windows 95, but I know Unix-like systems have had multi-user security since practically forever. Its heavily suggested to new users to set up their own accounts on their system to use. "protected parts" os a Unix-like system is whatever root owns, which is quite a lot.
"Cans spam. Eventually, commercial pitches for recycled printer cartridges and barnyard porn can be stopped before they hit your inbox--while unsolicited mail that you might want to see can arrive if it has credentials that meet your standards."
So basically digital signatures for real this time...
"Safeguards privacy. With Palladium, it's possible not only to seal data on your own computer, but also to send it out to 'agents' who can distribute just the discreet pieces you want released to the proper people. Microsofties have nicknamed these services 'My Man.' If you apply for a loan, you'd say to the lender, 'Get my details from My Man,' which, upon your authorization, would then provide your bank information, etc. Best part: Da Man can't read the information himself, and neither can a hacker who breaks into his system."
This may sound interesting, depending on how its implemented. But what can this Palladium technology offer that a sane encryption policy can't? And whats going to prevent users from screwing up the security?
(side note: "My Man" sounds really funny)
"Controls your information after you send it. Palladium is being offered to the studios and record labels as a way to distribute music and film with 'digital rights management' (DRM). This could allow users to exercise 'fair use' (like making personal copies of a CD) and publishers could at least start releasing works that cut a compromise between free and locked-down. But a more interesting possibility is that Palladium could help introduce DRM to business and just plain people. 'It's a funny thing,' says Bill Gates. 'We came at this thinking about music, but then we realized that e-mail and documents were far more interesting domains.' For instance, Palladium might allow you to send out e-mail so that no one (or only certain people) can copy it or forward it to others. Or you could create Word documents that could be read only in the next week. In all cases, it would be the user, not Microsoft, who sets these policies."
And we're back to digital rights management. Does anyone know how to implement what they say with the Word document with the technology we have now? It almost sounds like an Actually Useful Feature. "This email will self-destruct," kind of thing.
But really, this thing is about enforcing what some people consider an unconstitutionally unlimited copyright system. Not to mention what kind of havoc would be caused if trademarks were decided to be under the umbrella of digital rights.
One thing the Coursey article confirmed is that Microsoft does have a patent on this technology -- it seems logical they would license this under the CIFS (no GPL or copyleft) pretty much excluding free software from implementing this.
Because this stuff was leaked so early, there is still time (they are saying like four or five years) for someone to build up a response to this. Or it will simply flop because the market won't like it. Or what I think is likely is that DVDs will only be allowed to play on Palladium-approved machines. Then we'll have a mix of Palladium and non-Palladium machines, one with a superset of the features of the other.
Which one will Mr. and Mrs. Ignorant want to buy for their son?
I guess we will be expected into buying a licensed computer. Where the computer is not actually ours, but we can use it.
Sounds like a car lease or something... I wonder how they will determine the mileage on my 'puter?
tony
brainclone.com
but downloading and manually building a package and its dependencies, sometimes rebuilding the kernel. It's just not the same as an installshield-type GUI installer, and I won't apologize for it.
Notice my comment about Ximian -- utilities such as Red Carpet and up2date negate the need to do things by hand. True, there is less of an application base for these, but they are coming along quite nicely considering they're both relatively new.
And as far as installation and distrib., I should have been more explicit: Red Hat. Even the custom install is hardly difficult for someone who knows computing basics, especially given the help in the sidebar.
Take, f'rinstance, video formats. Yes, there is a package now for viewing AVIs under Linux. But to get it working is another matter.
Like I said, there are plenty of issues with file formats. While doc, xls, ppt, mpg, mp3, etc. etc. etc. are all supported, there are a few important ones missing -- I concur with you, my most sought after file formats are movie formats. Here is something I'm looking forward to become standard.
In order for Linux to "rule" the desktop (as many hope it will), there needs to be the same simplicity in setup, maintenance and use as its competition
Repeating myself:
Setup - RH Linux is just as simple as Windows on a "Workstation" install, not much more difficult on custom.
Maintenance - This is a problem in some areas. Groups like Ximian are working on it -- their new configuration panel (forgot the name -- similar to MS Control Panel) is nice, IMO, and getting better.
Use - Again, this area needs work in the area of common applications, but things such as Evolution, AbiWord, OpenOffice, GnuCash, etc. are making a lot of headway here.
~Dalcius
Rome wasn't burnt in a day.
Unless, of course, Sen. Fritz Hollings (D-Disney) is successful in his quest to make such machines illegal.
Even two years from now, ballmer and friends will not be strong enough to fight every other software company in the world united against them.
Or they will. While $40B (that MSFT has in the bank) might not be enough to buy EVERY software outfit out there, it would certainly be enough to munch up all but maybe the top five other vendors. That, or they could merge with, say, AMD after a couple of years of pseudo-merged operations (aka "partnerships").
Just because you're paranoid doesn't mean they aren't out to get you :-)
"Time flies like an arrow; fruit flies like a banana." --Groucho Marx
I must admit, this is a masterful stroke. It appears to give users additional control over their computer's security, while limiting the options in such a way that it actually concentrates that control into others' hands.
[NOTE: Since real information about Palladium is pretty fuzzy right now, I'm theorizing a bit about its capabilities for now. Only time will tell...]
It can remove my power to choose what's authorized to run on my computer. It can prevent usage of "untrusted" or "unauthorized" code. Lovely turn of phrase, that. Notice how it uses the passive to avoid any implication of *who* is trusting or authorizing the code? "Palladium is all about deciding what's trustworthy. It not only lets your computer know that you're you , but also can limit what arrives (and runs on) your computer, verifying where it comes from and who created it." The implication is that the user is in control, but who decides?
I have not yet seen anything saying how programs are authorized. It would be logical to set up a coalition to do this, and use membership agreements to control the behavior and competitiveness of its members, and exclude undesirables. We can see prior art in the way the DVD-CCA controls access to the CSS keys and uses that control to enforce region controls and lack of digital output.
It can remove my power to access information, since Palladium "can limit what arrives" on my computer. In other words, the authorization control can extend beyond code to data. If a site does not have a valid Palladium authorization (however those are issued), then Palladium may be able to prevent access to it (and tell me that it has saved me from an "unauthorized site"). Again, the key to this control rests in the authorization process.
It can remove my power to customize my computer. No, I'm not talking about case mods, I'm talking about OS and program configuration. In order to maintain a "trustworthy" system, it will have to limit access to the configuration system. Assuming they keep something like the Windows Registry, I can see two options here. They may refuse to authorize regedit, et al., and remove OS authorization from any registry touched by those programs. Or they may remove the my ability to change anything "critical" (by some definition or other) in the registry.
Ultimately, it can force a choice between "all-Palladium" and "no-Palladium". If it can refuse to run unauthorized programs or access unauthorized sites while any authorized programs are running or authorized sites are being accessed, then I cannot work in both realms at the same time. I must either choose "Palladium" ("safe") or "non-Palladium" ("dangerous"). It could also deal with these realms asymmetrically: if I try to use Palladium resources, it could automatically close all non-Palladium resources (and tell me that it has saved me from danger), but if I try to use non-Palladium resources, it might refuse to load them until I had manually closed all of my Palladium resources, and perhaps rebooted.
Faced with this choice, how many users will be willing to give up some useful non-Palladium resources rather than giving up all Palladium resources? Immanentizing the false dichotomy, anyone?
I sure hope I'm wrong about this, and that I'm just being too paranoid. Unfortunately, recent history seems to show that we need a really healthy dose of paranoia when dealing with things like this. Again, only time will tell for sure.
Totally bogus. Websites are not that easy to vandalize. Especially if they are running Apache under OpenBSD.
Rember Hailstorm? How is this going to solve your privacy issues, especially considering the new EULA in MS's latest security patch that allows them to root your computer and look around anytime they want?
Why is security now viewed as a threat to MS before January? Aren't they a Monopoly? Can't they make a user friendly OS without the chronic security holes? And why are there security holes is Windows Medai player?
Who's ability? My ability or Microsoft's ability? If its my ability: how so? If its anybody else: screw them.
What about privacy?
Please tell me how they are going to be snooping around my computer to begin with?
This comming from the company that run Hotmail. All I get there is SPAM. Then I get SPAM from MS telling me to buy more space because I might not be getting all email! Like I'm acctually going to spend money so I can have a bigger bucket for the SPAM.
Why would I want a third party involved in my transactions? The thrid party may not have access to your information, but they can tell what is going on. For example if Progressive insurance regularly access certain information, they can sell the information they do have about me, contact info and such, to a competing company like Farmers or Geico.
I seem to rember a courtcase where an author wanted a cut from or block off sales of used copies of his books. The Supreme Court shot it down. Right now if I buy something, I have the right to resell it, with DRM I don't
Palladium is a dead-serious attempt to finally make it happen,....He's right.
They were also afraid of VCRs. I don't see the industry bankrupt yet though.
Bullshit.
And how will this dilute MS's monopoly?
If someone is passing you on the right, you are an asshole for driving in the wrong lane.