Slashdot Mirror
The Power of Palladium
phriedom writes "Salon has coverage of Palladium which gives first page coverage to the idea that Palladium is designed to kill open source software. My favorite part though is on page two, where the Microsoft apologist says that ones view of Palladium 'depends on what you believe Microsoft's long-term aims are. If you believe it's to stimulate commerce and stimulate security, it's a step in the right direction ...and if you're perhaps given to suspicions that Microsoft always makes decisions with the aim of frustrating competitors of the Windows empire rather than for the good of consumers, you might have a different view of the same architecture.'" Wired also has a story claiming under-the-hood exposure to Palladium, although it doesn't seem to have much information that hasn't come out already.
Update by J : Steven Levy's Palladium story, which we linked to in an
earlier article,
has allegedly been
pulled from MSNBC's website.
Anyone know if there's a simple explanation of this?
Read this story from Zdnet: News: Microsoft: Palladium not just for Windows
Apparently Microsoft met with the EFF to discuss Palladium. Mr. Schoen wrote up his notes from the meeting.
His notes are more technical in nature and he doesn't make much in the way idle speculation, so they tend to disagree with much of the reporting that's shown up on slashdot.
an interesting, detailed perspective on Palladium from someone who worked inside MS on some related stuff. TCPA and Palladium: Sony Inside
-- -- -- --
"The U.S. Constitution - not perfect, but its better than what we have now"
I think it is important to note that the person described as a "Microsoft Apoligist" is Farber, who testified against Microsoft in the antitrust trial...
Little Brother, watching the watchers
The initiative, called Palladium, after the mythological statue that defended ancient Athens against invaders, sits on a set of technologies that have long been in use
Not to nitpick, but I AM tired of it... the Palladium was a small statue of Athena in the city of Troy, not Athens - it was stolen by the Greeks very near to the end of the Trojan War. It was the basis for the whole Trojan Horse bit. The explanation the Trojans received when they found the horse was that the theft of the Palladium by Odysseus had so infuriated Athena that the Greeks had left the horse to appease her wrath. The idea was then implanted in the Trojans' heads that the Greeks very much did NOT want the horse dragged into Troy, for then Athena would favour the Trojans and might kill all the Greeks on the way home. (Which, ironically, she and Poseidon largely did anyway.) The Palladium is generally held to have been taken by Aeneas on his flight from Troy to Italy, or maybe by Diomedes to Sparta, but never Athens.
The Levy piece has moved to the Newsweek Pay Archives.
Try this link
They've said that the core of it will be open source. Of course their idea of open source is a lot different from Liber Software open source.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Here's the simple explanation for why MSNBC pulled the article:
It's a Newsweek article.
Newsweek charge for archive access.
The article is now over a week old, and has been moved to their archives.
Simple. If you want to get the article, you can still buy it from Newsweek for $2.95, or for a lot more if you want access to their entire library of stuff.
You can still find it if you go to www.newsweek.com , and search the archives for Palladium.
Simon
Coming soon - pyrogyra
Having been to a number of MS 'Executive Briefings' my impression is that by far the most requested item by large customers has been proper Java support. Right now it is costing companies a huge amount of effort to integrate Excel and Outlook apps with Java-based transactional systems, and going right back to 1998 the story from MS has never been "How can we help solve your problem?", only "How can we dominate this space and exclude competition?"
Ironically, we had MS people on site for over a year to gather 'requirements' and help 'influence strategy'. There's no real question that this was by and large ignored - a small insight into what perhaps has been one of the most dramatic examples of contempt for customers ever exhibited by a major corporation.
I further disagree with Mr. Perens as well. The content is all that will be limited, not the computer. The computer will not be limited in any way. You can boot into untrusted mode and use whatever you want. The content, on the other hand, may require the use of trusted mode. That simple.
I remember the whole IE ActiveX vs Java wars. MS's view was to get signed code. Java's was to build a sandbox, and if you want to break out of that, then you do the certificate thing, and then you have to let individual items through (allow reading local filles for example, but not write). MS has the bulk to say which one you chose, irrespective of technical superiority.
/etc. Limit the damage it can cause. I forgot the Free-NIX projects that support restricted syscalls.
Relying on 'signatures' to protect you is falso hope. Check on www.microsoft.com, search for "ActiveX Security vulnerability" using ALL keywords. You'll get 100 hits back, and the search cuts off at 100, so I don't know how many there are. Yes, the Java security manager had holes (these holes were eventually plugged). But at least there were limits, like a hole in the dike instead of it collapsing. How many IE holes were because certain ActiveX controls were marked "safe for scripting"? So this ActiveX had the run of the system. The controls are signed, but what's stopping a rogue person from obtaining a certificate ad releasing a bad ActiveX control (or a bad app). I remember someone did this, had a certificate and made code that was a proof of concept (I don't remember, I think he wrote soemthign in teh Run key, and you saw a message every time you started up). I also remember when someone pretended to be from Microsoft and obtained a key? Yeah, MS released a patch invalidating the key, how many folks didn't install the patch? Is there code out there with that key? If they can't even hold on to their keys, how can you trust them?
How do you protect against bugs? Outlook wasn't intended to be malicious, but look what happened. MAJOR design flaws in Outlook, and how it's integrated into the system (a great deal of virus damage can be traced to the fact that Explorer by default doens't show extensions, and Outlook picks this up). Neither was sendmail, how many bugs came from that? OK, sendmail's signed now, I can still root you. Is a signed IIS any less vulnerable to Nimda? Is all the KaZaa spyware gonna get kicked off casue of this? Nahh, it's all gonna be signed.
This is where a sandbox mentality is best. Something like the jail and chroot syscalls. Limit the damage that can be done to the system. Have all syscalls be available to be jailed, something like the security manager in Java. Have IIS be jailed to not be able to use connect() to dial out to other servers, jail the ability to make files anywhere other than a log-root, so it can't make startup files in
A big problem with Paladium this it turns people into vertificate validators. How many folks do you know who know how to read a key? It's gonna be either accept all, or accept none, depending on what the default is. And if you accept, you're still making you're system succeptible to bugs and trojan horses.
This just seems, to me anyway, to be Microsoft's way of pushing new software and hardware. I don't see it helping folks much.
They started a discussion on MS and Sony. Read it, it comes from a former Microsoft developer