MS Palladium Patent

Concerned Citizen writes "cryptome has Microsoft's patent for Palladium. Including such gems as: 2. The computerized method of claim 1, wherein protecting the rights-managed data comprises: refusing to load the untrusted program into memory. 14. The computerized method of claim 1, further comprising: restricting a user to a subset of available functions for manipulating the rights-managed data. And I'm sure we'll all be coerced to agree to Palliadium during a future security patch agreement."

Hat trick?

[TheSHAD0W]

So Palladium won't load an untrusted program into memory... How would it accomplish that? In order to determine whether a program was properly signed, one would need to get its checksum. In order to do that, you would have no choice but to load it into memory of some form. I suppose you could bypass the RAM, DMA it through a dedicated calculator... But that would be inefficient; you'd need to scan it once, and then load it for execution. And you'd need to do it every time you ran the code, or someone could have compromised the data on the system's drive by editing it on a non-Palladium system.

And what's the big deal about having "non-trusted" code loaded into RAM anyway? Actually, it's very easy to put one's own binary code into the system's memory; load it as raw data. An OOB-type exploit can pass control to that nearly as easily as it can execute a program that's been loaded but not yet determined to be trustworthy.

Is this going to be the new whipping boy?

[night_flyer]

since the 26th of June Slashdot has had five stories concerning palladium:

http://yro.slashdot.org/article.pl?sid=02/06/23/ 16 41205&mode=thread&tid=109

http://slashdot.org/article.pl?sid=02/06/27/1252 27 &mode=thread&tid=109

http://slashdot.org/article.pl?sid=02/07/02/1617 21 8&mode=thread&tid=109

http://yro.slashdot.org/article.pl?sid=02/07/04/ 13 14229&mode=thread&tid=109

and now this one... shouldnt the paranoia level be turned down a notch till we have something a little more concrete?

TCPA / Palladium Frequently Asked Questions

[malakai]

This is a very scary paper. You think MS spews a lot of FUD, this papers is almost pure FUD.

First, this guy thinks a lot of himself:

The Palladium announcement appears to have been provoked by a paper I presented on the security issues relating to open source and free software at a conference on Open Source Software Economics in Toulouse on the 20th June

FUD

2. What does TCPA / Palladium do, in ordinary English?
Its obvious application is to embed digital rights management (DRM) technology in the PC. The less obvious implications include making it easier for application software vendors to lock in their users

Notice the bold FUD.

. So I won't be able to play MP3s on my PC any more?
With existing MP3s, you may be all right for some time. But in future, TCPA / Palladium will make it easier to sell music, movies, books and other content packaged so that people can play them on their PCs but not copy them.

Oh my, that sounds horrible. We could have a market finally for digital releases, one where I get my media, and the seller gets his money.

You might be allowed to lend your copy of some digital music to a friend, but then your own backup copy won't be playable until your friend gives you the main copy back.

Sounds fair. Keeps me from making 10 copies of this new movie and giving them to my friends.

Quite possibly you will not be able to lend music at all. (It looks likely that the music publisher will be able to make the rules - and to change them at will by remote control.)

And thus more speculation and FUD.

5. What else can TCPA and Palladium be used for? ...For example, you might arrange that your soldiers can only create word processing documents marked at `confidential' or above, and that only a TCPA PC with a certificate issued by your own armed forces can read such a document. This is called `mandatory access control', and governments are keen on it. The Palladium announcement implies that the Microsoft product will support this. Once TCPA is widespread, corporations can do this too - and so, for that matter, can the Mafia. This can make life harder for spies, corporate whistle-blowers, and FBI agents alike (though it is always possible that the FBI will get some kind of access to master keys)(FUD). A whistle-blower who emails a document to a journalist will achieve little, as the journalist's Fritz chip won't give him the key to decipher it.

OK, so now the open-source movement is AGAINST encryption/privacy? Does this mean PGP is bad now too? This sounds like technology I always assume US military intelligence organizations already use. I don't want a whistle-blower leaking confidential battlefield plans (we've seen it happen a lot in the last year). As for corporations, if a whistle-blower can't print, email, fax, save to disk some document, they'll find some other way to blow the whistle. This is a stupid argument as for why Palladium as a whole is bad.

10. OK, so TCPA stops kids ripping off music and will help companies keep data confidential. It may help the Mafia too, but apart from the pirates, the industrial spies and the FBI, who has a problem with it?

I'm sure the FBI would love it if the Mafia started using DRM certs on their data. It'd be much easier to ask a judge for the rights to sieze and open documents certified by this certificate, then say to ad-hoc monitor possibly private data in an attempt to get to Mafia data.
Note, it will never happen. Criminal elements will stay away from technology like DRM and pallidum.

A lot of companies stand to lose out. For example, the European smartcard industry may be hurt, as the functions now provided by their products migrate into the Fritz chips in peoples' laptops, PDAs and third generation mobile phones. In fact, much of the information security industry may be upset if TCPA takes off.

Elmer FUD would be proud. I went and pulled the membership on the EUROSMART list, and I see a lot of overlap with TPCA. I guess they don't hate it that much.

11. How can TCPA be abused?
One of the worries is censorship (...)
For example, the police could get an order against a specific pornographic picture of a child, and cause the policy servers to instruct all PCs under their control to search for it and notify them if it were found.

First, that's not censorship, that's search (and possibly seizure) and it's pure FUD to presume the government will push a button and search you hard-drives and then drag you down to the police station, for your dirty little picture. However, even if they did... this picture would have to be signed somehow, and under DRM protection. Not sure why a child pr0n peddler would take the time to DRM his pictures. And if you want to view that sick stuff, turn off the DRM system before you do it. Yes, it does have an off switch. While off, you can't use the apps in DRM mode, meaning you can't open DRM certified media.

12. Scary stuff. But can't you just turn it off?
Sure - one feature of TCPA is that the user can always turn it off. But then your TCPA-enabled applications won't work, or won't work as well. It will be like switching from Windows to Linux nowadays;

Oh my god. It's at this point I have to stop reading this horrible FUD..er FAQ. Disable DRM, and the DRM enabled functionality in DRM enabled apps will cease to work, the apps will continue to work. Sure, you can't open your ULTRA-7 security level report, that the NSA sent to you, but theres good reason for that. Turn back on the trust management, and then open that report. And what's with saying it's like switching from Windows to Linux? First, what the fook is wrong with linux bitch? and second, that makes no sense!

I honestly went to this FAQ to try and see both sides of the Palladium debate. But this FAQ is a borderline paranoia conspiracy rant. It hurts the anti-palladium side more than helps. Stick to the facts, dissect it like a Vulcan would. Show me logical arguments, and keep your emotion and fear out of it.

-malakai