MS Palladium Patent

Concerned Citizen writes "cryptome has Microsoft's patent for Palladium. Including such gems as: 2. The computerized method of claim 1, wherein protecting the rights-managed data comprises: refusing to load the untrusted program into memory. 14. The computerized method of claim 1, further comprising: restricting a user to a subset of available functions for manipulating the rights-managed data. And I'm sure we'll all be coerced to agree to Palliadium during a future security patch agreement."

Re:how 'bout apple

[tunah]

Microsoft bought a bunch of non-voting stock in apple as part of a deal that included cross licensing of patents. This settled a long running dispute of MS supposedly stealing apple's look and feel.

Microsoft quietly sold their stock (for a profit) some time afterward.

Hat trick?

[TheSHAD0W]

So Palladium won't load an untrusted program into memory... How would it accomplish that? In order to determine whether a program was properly signed, one would need to get its checksum. In order to do that, you would have no choice but to load it into memory of some form. I suppose you could bypass the RAM, DMA it through a dedicated calculator... But that would be inefficient; you'd need to scan it once, and then load it for execution. And you'd need to do it every time you ran the code, or someone could have compromised the data on the system's drive by editing it on a non-Palladium system.

And what's the big deal about having "non-trusted" code loaded into RAM anyway? Actually, it's very easy to put one's own binary code into the system's memory; load it as raw data. An OOB-type exploit can pass control to that nearly as easily as it can execute a program that's been loaded but not yet determined to be trustworthy.

Uhmm, sorry! Lot's of prior art here ;-)

[manyoso]

"The computerized method of claim 1, wherein protecting the rights-managed data comprises: refusing to load the untrusted program into memory."

Hmmm. Seems to me that this 'art' has been around since the beginning of Unix. Hell, Microsoft has been providing a form of this 'art' with NT and 2000 for quite sometime. It's called permissions! And what would you call the recent advent of the NSA's Secure Linux? Administrators have been 'refusing to load the untrusted program into memory' for quite sometime to protect data... The only thing different about this scheme is Microsoft will be instituting a system where the company itself is root/administrator and the previous system admins are relegated to subordinate positions.

"The computerized method of claim 1, further comprising: restricting a user to a subset of available functions for manipulating the rights-managed data."

Ahh, this has also has seemingly been done since time began ;-) For instance, with Unices I can restrict the user to reading the data, writing the data, executing the data or some combination thereof... Thus Unix has been able to restrict 'a user to a subset of available functions for manipulating the rights-managed data'.

Cheers!

Yeah, but I don't think it was Microsoft...

[da+cog]

I felt a great disturbance in the force, as if millions of server processes suddenly cried out in terror, and suddenly silenced.

I feel something terrible has happened.

*** SOME TIME LATER ***

KONQUEROR: Our position's correct except... no cryptome.org.

ME: What do you mean? Where is it?

KONQUEROR: That's what I'm trying to tell you, kid, it ain't there. It's been totally blown away.

ME: How?

It's been destroyed... by the Slashdot.

KONQUEROR: The Slashdot crowd couldn't take down the whole site! It would take ten thousand people with more free time than I've...

*Alarm bell goes off* ...*** TO BE CONTINUED ***

Is this going to be the new whipping boy?

[night_flyer]

since the 26th of June Slashdot has had five stories concerning palladium:

http://yro.slashdot.org/article.pl?sid=02/06/23/ 16 41205&mode=thread&tid=109

http://slashdot.org/article.pl?sid=02/06/27/1252 27 &mode=thread&tid=109

http://slashdot.org/article.pl?sid=02/07/02/1617 21 8&mode=thread&tid=109

http://yro.slashdot.org/article.pl?sid=02/07/04/ 13 14229&mode=thread&tid=109

and now this one... shouldnt the paranoia level be turned down a notch till we have something a little more concrete?

TCPA / Palladium Frequently Asked Questions

[malakai]

This is a very scary paper. You think MS spews a lot of FUD, this papers is almost pure FUD.

First, this guy thinks a lot of himself:

The Palladium announcement appears to have been provoked by a paper I presented on the security issues relating to open source and free software at a conference on Open Source Software Economics in Toulouse on the 20th June

FUD

2. What does TCPA / Palladium do, in ordinary English?
Its obvious application is to embed digital rights management (DRM) technology in the PC. The less obvious implications include making it easier for application software vendors to lock in their users

Notice the bold FUD.

. So I won't be able to play MP3s on my PC any more?
With existing MP3s, you may be all right for some time. But in future, TCPA / Palladium will make it easier to sell music, movies, books and other content packaged so that people can play them on their PCs but not copy them.

Oh my, that sounds horrible. We could have a market finally for digital releases, one where I get my media, and the seller gets his money.

You might be allowed to lend your copy of some digital music to a friend, but then your own backup copy won't be playable until your friend gives you the main copy back.

Sounds fair. Keeps me from making 10 copies of this new movie and giving them to my friends.

Quite possibly you will not be able to lend music at all. (It looks likely that the music publisher will be able to make the rules - and to change them at will by remote control.)

And thus more speculation and FUD.

5. What else can TCPA and Palladium be used for? ...For example, you might arrange that your soldiers can only create word processing documents marked at `confidential' or above, and that only a TCPA PC with a certificate issued by your own armed forces can read such a document. This is called `mandatory access control', and governments are keen on it. The Palladium announcement implies that the Microsoft product will support this. Once TCPA is widespread, corporations can do this too - and so, for that matter, can the Mafia. This can make life harder for spies, corporate whistle-blowers, and FBI agents alike (though it is always possible that the FBI will get some kind of access to master keys)(FUD). A whistle-blower who emails a document to a journalist will achieve little, as the journalist's Fritz chip won't give him the key to decipher it.

OK, so now the open-source movement is AGAINST encryption/privacy? Does this mean PGP is bad now too? This sounds like technology I always assume US military intelligence organizations already use. I don't want a whistle-blower leaking confidential battlefield plans (we've seen it happen a lot in the last year). As for corporations, if a whistle-blower can't print, email, fax, save to disk some document, they'll find some other way to blow the whistle. This is a stupid argument as for why Palladium as a whole is bad.

10. OK, so TCPA stops kids ripping off music and will help companies keep data confidential. It may help the Mafia too, but apart from the pirates, the industrial spies and the FBI, who has a problem with it?

I'm sure the FBI would love it if the Mafia started using DRM certs on their data. It'd be much easier to ask a judge for the rights to sieze and open documents certified by this certificate, then say to ad-hoc monitor possibly private data in an attempt to get to Mafia data.
Note, it will never happen. Criminal elements will stay away from technology like DRM and pallidum.

A lot of companies stand to lose out. For example, the European smartcard industry may be hurt, as the functions now provided by their products migrate into the Fritz chips in peoples' laptops, PDAs and third generation mobile phones. In fact, much of the information security industry may be upset if TCPA takes off.

Elmer FUD would be proud. I went and pulled the membership on the EUROSMART list, and I see a lot of overlap with TPCA. I guess they don't hate it that much.

11. How can TCPA be abused?
One of the worries is censorship (...)
For example, the police could get an order against a specific pornographic picture of a child, and cause the policy servers to instruct all PCs under their control to search for it and notify them if it were found.

First, that's not censorship, that's search (and possibly seizure) and it's pure FUD to presume the government will push a button and search you hard-drives and then drag you down to the police station, for your dirty little picture. However, even if they did... this picture would have to be signed somehow, and under DRM protection. Not sure why a child pr0n peddler would take the time to DRM his pictures. And if you want to view that sick stuff, turn off the DRM system before you do it. Yes, it does have an off switch. While off, you can't use the apps in DRM mode, meaning you can't open DRM certified media.

12. Scary stuff. But can't you just turn it off?
Sure - one feature of TCPA is that the user can always turn it off. But then your TCPA-enabled applications won't work, or won't work as well. It will be like switching from Windows to Linux nowadays;

Oh my god. It's at this point I have to stop reading this horrible FUD..er FAQ. Disable DRM, and the DRM enabled functionality in DRM enabled apps will cease to work, the apps will continue to work. Sure, you can't open your ULTRA-7 security level report, that the NSA sent to you, but theres good reason for that. Turn back on the trust management, and then open that report. And what's with saying it's like switching from Windows to Linux? First, what the fook is wrong with linux bitch? and second, that makes no sense!

I honestly went to this FAQ to try and see both sides of the Palladium debate. But this FAQ is a borderline paranoia conspiracy rant. It hurts the anti-palladium side more than helps. Stick to the facts, dissect it like a Vulcan would. Show me logical arguments, and keep your emotion and fear out of it.

-malakai

Rebuttals of some of those points

[Anonymous+Brave+Guy]

First, this guy thinks a lot of himself:

He's entitled to. He's an established expert with credentials in the industry, and it's quite possible that his understanding and information on this subject is ahead of most people's, including the MS guy posting on this thread.

The less obvious implications include making it easier for application software vendors to lock in their users

Notice the bold FUD.

It's nothing of the sort; it's a very real issue. If you provide a means to lock people out of data -- which is essentially all DRM is -- and then appoint MS as the effective custodian of that data, what is to stop them abusing the technology to stop you loading a document you created in MS Word with, say, a translator for OpenOffice? As those crying "FUD" are shouting so loudly here, there is precious little solid information available and even fewer guarantees, and MS has a demonstrated history of abusing any power it gets through its dominant position in the market. A little caution is more than justified here. It's only paranoia if they're not all out to get you.

Oh my, that sounds horrible. We could have a market finally for digital releases, one where I get my media, and the seller gets his money.

It's also a market where critics could potentially be stopped from using controlled material in a legitimate way. Worse, that potential is controlled by whoever owns the DRM controls -- MS in our current scenario -- and not by a suitable legal system. This is not in the interests of the common consumer of these products.

First, that's not censorship, that's search (and possibly seizure) and it's pure FUD to presume the government will push a button and search you hard-drives and then drag you down to the police station, for your dirty little picture.

This is a bad caveat, because I doubt anyone here would have any sympathy if a child pornographer got screwed to hell; the ability to do this in such cases is a definite plus point of the proposed approach. The problem is that the same technology could be used to prevent the distribution of, for example, information certifying that Microsoft's accounting practices are highly dubious (such as is currently freely available on the web), and once again, the control is in the hands of the DRM guys, not the duly appointed government.

And what's with saying it's like switching from Windows to Linux? First, what the fook is wrong with linux bitch?

There are far fewer applications currently available for Linux, and hence you are limited in what you can do with it. If you can't see the parallels to the DRM scenario, and the problems potentially created, I'm afraid you really aren't looking very hard.