Gates and Lasser on Palladium

A rather funny juxtaposition this morning - Bill Gates or someone with his signature stamp sent a spam-gram to pretty much everyone who receives any sort of Microsoft email: Bill only mentions Digital Rights Management in one throw-away sentence. And like most other spam, he promises it's a one-time mailing. On the other hand, Jon Lasser of Think Unix fame takes a harsher look at Microsoft's vision of a world where your computer is trusted against you.

Yeah and...

How is this news? Everybody already knew what Bill would
say and what every other tech in the world would say.
Meh. Next story. Something with kittens maybe please?

~The Sexy Mac

Re:Yeah and...

[bafreer]

mod this up! the man is asking for kittens!

Re:Yeah and...

Did someone mention kittens? Click here for the TOP 10 CUTEST KITTENS!

Re:Yeah and...

here are some delectable kittens.

Re:Yeah and...

OS X. FreeBSD, something.

Linux is even OK.

MS created the distributed virus problem by releasing shit software. Period.

I've never ever had a virus on my Mac boxes or Unix servers.

Re:Yeah and...

mod this up! this kind of crap is the only thing slashdot is good for anymore.

Ahhh

[Chetmurray]

I would never would have thought MS would spam, that is something only desperate companies do.

And here I thought that was a personal note to me. I have spent the last three hours writing my personal reply. Guess I will just send it to this nice Nigerian man who just emailed me, he just suffered a personal tragedy and seems to need some support.

Chet

Re:Ahhh

[bpfinn]

I thought Bill was going to instruct me to send the email to my friends, and he would pay me a dollar for each one who received it. No such luck though.

Re:Ahhh

[Mr.+McGibby]

And here I thought that was a personal note to me. I have spent the last three hours writing my personal reply.

Well, from the looks of the header on my email, your personalized reply would probably be linked directly to the info MS has on you. My reply-to address had a GUID in it.

Re:Ahhh

[hojo]

Dude, I don't want to see another comment from you unless it's along the lines of "New version of Alien vs. Child Predator now up at the reopened OMM." I mean, seriously, where can I find some of the quality work that you chuckleheads used to turn out? Old Man Murray ripped me a new one, to quote the Duke.

Damn I miss that stuff. Start to crate ratings...the Deus Ex walkthrough...

Bring it back, man. Unless you're an imposter, in which case bite me.

Re:Ahhh

[Steve+Franklin]

A dollar? One lousy dollar? You don't think Bill could afford, maybe, two dollars? ;o)

Re:Ahhh

[evilempireinc]

I thought he said to buy a copy of windows 98 and would pay $1 for each person you gave it to...

Re:Ahhh

[tx_mgm]

amen!
there is NO BETTER site out there for games than old man murray....c'mon chet, we miss you!

Re:Ahhh

[homer_ca]

I got that message from Bill Gates too in a spamtrap mailbox (deleted user from years ago). Just for fun, I went into the profile for that user and put in all fake names and addresses. Homer Simpson, 123 Fake St, Springfield CA, 90210. unsubscribe90210@microsoft.com

Let's see them try and spam that address. BTW I also checked the box to please send me junk snailmail and let telemarketers call.

Secure By Default ?

[unixmaster]

In the email Bill says "Secure by default" . I say watch out they may acquire OpenBSD ;-)

Re:Secure By Default ?

Which moron modded this down? Secure by Default is from OBSD Rel. 3.0's theme song.

Palladium is E-V-I-L

[sllort]

The way every talks about TCPA/Palladium, you'd think it was the biblical mark of the beast. "A single, remote authority with the ability to delete random files off my hard drive? Call the Free Speech Police!"

The problem with everyone's understanding of TCPA/Palladium is that there won't be a single authority (flying Black Helicopters over your PC at night). Big companies like IBM (and especially the government) may use it for document control, but that's about it. What Palladium will do for the world is:

• End the untrusted binary problem. Viruses will be blacklisted by a remote server - no more email viruses, ever
• End the trojan horse/worm problem

These are important features that Joe sixpack the home user really wants. Nobody likes getting a virus and losing all the information on their Hard Drive.
By jaundicing themselves against the IEEE's implementation of this important standard, the Linux movement is just putting itself behind the curve in computer security.
If Palladium succeeds, and Linux doesn't follow, then Linux machines will be the only computers that can get viruses. How ironic would that be?

Re:Palladium is E-V-I-L

[Telastyn]

Until of course the remote server is comprimised and suddenly explorer.exe is an untrusted binary and every windows machine in the world shits a brick.

Re:Palladium is E-V-I-L

"flying Black Helicopters over your PC at night"

Actually, that's perfect. The anti-aircraft guns on my garage roof are controlled directly to the PC in the laundry room. Altitude = 90 deg, Azimuth = pick a number, any number, then fire away.

Re:Palladium is E-V-I-L

[dusanv]

Did you read the articles at all? It is plainly said that Palladium will not eliminate application layer virii. That means Joe Sixpack *will* be getting more Outlook & Word virii. What he won't be able to do is to watch unlicensed content. It is plain that this has nothing to do with Joe Sixpack's security but only with content protection Hollywood and total control by Microsoft.

The problem with everyone's understanding of TCPA/Palladium is that there won't be a single authority (flying Black Helicopters over your PC at night). Big companies like IBM (and especially the government) may use it for document control, but that's about it. What Palladium will do for the world is:

* End the untrusted binary problem. Viruses will be blacklisted by a remote server - no more email viruses, ever...

You are contradicting yourself in mere two sentences. No black helicopters? They don't need them. THe server you mention later is *way* better. Whoever controls that server - controls your PC.

Cheers,
D.

Re:Palladium is E-V-I-L

[cioxx]

If Palladium succeeds, and Linux doesn't follow, then Linux machines will be the only computers that can get viruses. How ironic would that be?

I would rather be bombarded by viruses than have my hardware sign off my hardware and sanity to big corporations so they can tell me what to do, and how to use them.

Ask yourself this question: "Would you rather drive a Ferrari in a prison, or Honda Civic out in the city"

Re:Palladium is E-V-I-L

Hey, How about doing something simple and fixing the gaping holes in the programs that TRANSMIT and EXECUTE these viruses? Outlook is the Number one Security hole in microsoft products. end of story. No email client needs to have any kind of automated scripting or scripting in general. we dont need to open attachments from inside the email client.

Joe Sixpack will be fine... we just need to stop catering to the ultra-lazy and the ultra-stupid with software.

It amazes me that after 5 times a person will STILL just click to open an attachment from someone.. I am almost tempted to initiate a "you get a virus your computer get's wiped" policy here.. maybe, just maybe it would make those morons and idiots in sales and marketing think before opening something looking for their advice.

Re:Palladium is E-V-I-L

[sedawkgrep]

Did you even READ the damned article?

Most of the vulnerabilities represented in the article execute inside the already-authorized binary. Palladium will not prevent or fix that problem. Palladium can stop unsigned binaries from being run and provide a measure of content control, but not prevention of vulnerability or risk.

AFA Linux goes - more likely than not, Linux won't run at all on Palladium hardware...and besides, do you really want to start counting how many Linux viruses there've been vs. the number of Microsoft Windows ones? I didn't think so.

Palladium in the home sector is just BAD BAD BAD. I don't want any of it. None. It's too bad short-sighted people like you are so eager to adopt a fascist draconian design in the false veil of added security.

sedawkgrep

Re:Palladium is E-V-I-L

[sllort]

Until of course the remote server is comprimised and suddenly explorer.exe is an untrusted binary and every windows machine in the world shits a brick.

Of course, how many times has Microsoft been hacked? Not their misconfigured software set up by users in the field, but their truly important computers, the ones they pay attention to.

Never.

Their source control servers have never been hacked. Microsoft.com has never been defaced. This is because when it matters, Microsoft's security is tough as nails.

Anyway if you're worried, don't buy Windows.

Re:Palladium is E-V-I-L

[Hammer]

Anyone want to bet on the time before there is a virus that appears as if it was signed...
That blew that benefit for Joe Sixpack
Leaves only the benefit for Big Corp Inc. No more of that commie Linux thingie

Re:Palladium is E-V-I-L

[zulux]

End the untrusted binary problem. Viruses will be blacklisted by a remote server - no more email viruses, ever


Ammend that to:
End the untrusted Windows binary problem.

OpenBSD users have been using trusted sources for a long time with the signed_exec kernel patch. I imagine that there are equivelents in most *nix.

So remember, just because it's a problem in Windows, doesen't mean it's nesesairly a problem with more robust operating systems.

Re:Palladium is E-V-I-L

[u-235-sentinel]

Palladium systems will be virus free for 2 weeks at most. I recall many people takling their products up like nobody could infect/crack their systems only to back down and plead for forgiveness. If there is a way in then crackers will get in. Apple, IBM, Microsoft all have lost the battle. Oracle recently said they were unbreakable. That lasted about a week if I recall.

Re:Palladium is E-V-I-L

[shkn_not_strd]

If Palladium succeeds, and Linux doesn't follow, then Linux machines will be the only computers that can get viruses. How ironic would that be?

Part of the problem is the fact that Palladium is largely a Microsoft controlled thing. Do you think Microsoft will give the Linux community the "key" to "follow"? Why should the Linux community be forced to "follow" in the first place?

And how about when I develop my own application. What am I going to have to pay in order to get it "certified" to run on a Palladium controlled system.

In the end it is just another way for Microsoft to try and maintain some controll.

Re:Palladium is E-V-I-L

[.com+b4+.storm]

End the untrusted binary problem. Viruses will be blacklisted by a remote server - no more email viruses, ever

...

End the trojan horse/worm problem

Oh please. "Untrusted" binaries being banished from the face of the earth will not help much. I'm sure Outlook will be a "trusted" program, and it is still dangerous even when functioning properly. Trusted binaries could still be exploited, my friend.

Re:Palladium is E-V-I-L

[Paolomania]

it will also:

• End the fair use rights problem
• End the personal privacy problem

Re:Palladium is E-V-I-L

[sllort]

Palladium can stop unsigned binaries from being run and provide a measure of content control, but not prevention of vulnerability or risk.

Actually, you're wrong. Palladium gives a corporation the ability to whitelist executables within their organization, blocking all but the ones they have personally inspected. You refer only to the default configuration.

Re:Palladium is E-V-I-L

[Moonshadow]

They still run IIS.

Remember the Windows Update/Code Red fiasco?

If the fish was big enough, SOMEONE would find a way in, and r00t to every Windows box in the world is a fairly big fish.

Re:Palladium is E-V-I-L

Viruses will be blacklisted by a remote server

Will that be a real time blacklist?

(ducks)

Re:Palladium is E-V-I-L

[tsa]

Well, I'm afraid you can't run the binaries you compiled from your own source code on your own computer anymore, because you first have to have them approved by a bureaucratic entity...

Re:Palladium is E-V-I-L

[gilroy]

Blockquoth the poster:

Anyway if you're worried, don't buy Windows.

Sure, that's OK for now, while there are other OSes. But what happens when hardware-level implementation of Palladium takes place? When connection to the Net is mandated to be through Palladium-secure boxes only?

That's like saying, in 1960, "If you don't like what Ma Bell is doing, just get rid of your phone line." It's not a practicable option -- and it should be the only one available.

Re:Palladium is E-V-I-L

[SpatchMonkey]

• I am almost tempted to initiate a "you get a virus your computer get's wiped" policy here.. maybe, just maybe it would make those morons and idiots in sales and marketing think before opening something looking for their advice.

Your elitist attitude offends me somewhat.

Stop your deluded fantasies that the only intelligent people in the world are those who know how to use a computer.

Re:Palladium is E-V-I-L

[The+Cat]

This is because when it matters, Microsoft's security is tough as nails.

So, I guess the next question is obvious: why doesn't it matter in their products?

Re:Palladium is E-V-I-L

That's kind of odd, I remember some time ago about there being a compromise at Microsoft that was traced back to somwhere in Eastern Europe, and access was had by those in question for months on end before things were noticed.....

Or was that something that I just dreamed up?

Re:Palladium is E-V-I-L

[captain_craptacular]

Here's a link for ya.

Re:Palladium is E-V-I-L

[Telastyn]

Indeed, but wasn't the original poster saying that the main point was that the servers would *not* be controlled wholy by Microsoft?

Re:Palladium is E-V-I-L

[sllort]

Did you read the articles at all? It is plainly said that Palladium will not eliminate application layer virii.

Large businesses (read : domains) can choose to move from a "blacklist" model to a "whitelist" model, where only approved binaries can be run. This does protect the end user from application level virii. It's not my fault open-source-whoever got it wrong.

Re:Palladium is E-V-I-L

[JCCyC]

Ask yourself this question: "Would you rather drive a Ferrari in a prison, or Honda Civic out in the city"

Rubens Barrichello chose the first option. And no, I don't think Michael Schumacher's initials are a coincidence.

Re:Palladium is E-V-I-L

Where's Enzo when you need him (yes I know he's dead)? There was never a No 1 driver or team orders when he was around.

Re:Palladium is E-V-I-L

[gorilla]

Large businesses often have an offical 'whitelist' model anyway. Their computer support depts. install the software, and the majority of their users don't have the knowledge how to install new stuff. So what happens? Word viruses, Excell viruses, Outlook viruses. It's no good having a whitelist if your whitelist includes programs with vunerabilities, and unfortunatly a majority of applications DO.

Re:Palladium is E-V-I-L

Personally inspected what? The box the software came in? Is MS providing source now, or even any notion of a guarantee that binaries can be restricted from harming your files? This isn't about protecting your data from anyone's binaries, but about protecting their files from your binaries.

This is something that the open source community could beat MS on handily, by providing the ability to run untrusted binaries in a very restricted mode. Something like user mode Linux or a chroot jail, but less klunky. By untrusted I would include just about everything, especially things like RealPlayer, Mathematica, StarOffice, Ghostscript, etc., that have the potential for doing damage, but have no real reason to look at anything but a few configuration files and a handful that I give access to during any particular session.

Re:Palladium is E-V-I-L

[NumberSyx]

This is because when it matters, Microsoft's security is tough as nails.

Was it 2000 or 2001 that Microsoft's own internal network was cracked and they were afraid the source code to Windows had been stolen. Do a google search on "windows source code stolen", you will get plenty of links. If they can't protect there own systems, what makes me think they can protect mine.

Re:Palladium is E-V-I-L

[Lord+High+Troll]

You, sir, are so full of shit I could smell your post from the main page. Get a life and quit defending MS, unless you are paid to do so, in which case I suggest you get your facts straight.

Re:Palladium is E-V-I-L

[the_marco_polo]

Now we're hearing all this nonsense of how Palladium will ruin free speech, stop open source software, enable Microsoft or the government to spy on us, etc, etc,... does this remind anyone else of what people thought .Net was supposed to do?

.Net was made out to be this huge Microsoft joke that threatened the whole communication scheme of the internet! Really, now, we are seeing a open source .net being developed, and Passport? Hey, there's a open source/open standards version of that (Liberty Alliance) now as well.

If Palladium is such a big deal to the safety and choice of every computer user, why doesn't the open source software community come up with an alternative, or come up with open standards???

Re:Palladium is E-V-I-L

[bofkentucky]

I thought there was a leak in source control, yep 3 months in 2000. All they found was a bunch of stuff from berkley though.

Re:Palladium is E-V-I-L

Would these be the same idiots that generate sales and income for your company, and therefore pay your salary?

Learn some respect.

Re:Palladium is E-V-I-L

[Cowculator]

I'll freely admit that I dislike Palladium as much as the next Linux user, but here's something to consider:

Microsoft has said that there will be multiple authorities with the ability to sign programs. Imagine that somehow, through a very sudden change of heart, Bill Gates decides to give a company (or a whole bunch of people) such as Red Hat the ability to sign all ELF binaries regardless of content. This won't hurt the Windows users, since they can't handle ELF, so at least their virus protection isn't compromised.

Would you be more willing to trust Palladium if Red Hat or someone like that could sign anything you wanted to compile? Or would you still expect Microsoft to eventually withdraw their support, make the cost of it prohibitive, or pull a Hotmail on the Linux community?

Re:Palladium is E-V-I-L

YHBT.
YHL.
HAND.

Re:Palladium is E-V-I-L

[wirefarm]

The way every talks about TCPA/Palladium, you'd think it was the biblical mark of the beast.

No, it's the Business Plan of the beast.

* End the untrusted binary problem. Viruses will be blacklisted by a remote server - no more email viruses, ever
* End the trojan horse/worm problem

No. Sorry. I don't want Microsoft scanning or reading my mail. I trust them less than I do the virus writers.

Most of the problems with Windows arise from programs that Microsoft *trusts*.

Why not give me a Windows mail client that *cannot* run embedded code of *any* kind?
I can live without JavaScript in my email.
I don't need IFrames in my messages.
I can save attachments to disk before opening them - so can Joe Sixpack. Do that much and you probably don't need Palladium.

These are important features that Joe sixpack the home user really wants. Nobody likes getting a virus and losing all the information on their Hard Drive.

Joe Sixpack really doesn't matter to Microsoft. Business and Government users do. The thing that stops many business from switching to a real operating system is not the availability of commercial software, it's the dozens of little in-house-developed apps that companies use.
Very often these apps have been written by long-gone consultants who left neither the source code nor a forwarding address. So what does the company that uses these apps do? Can they arbitrarily sign the apps and let them run on Palladium-capable machines? If so, can anyone sign any bit of code and make it run? Sort of defeats the purpose, so I guess they won't be doing that...

By jaundicing themselves against the IEEE's implementation of this important standard, the Linux movement is just putting itself behind the curve in computer security.

You're missing a small point about Linux: If you have Linux, you also get the source code. If you make a change to the source and recompile it, it's no longer signed. Patching and recompiling is a necessity that they are not accounting for in this plan.
This attitude is dangerous and irresponsible on their part - Go read that story on the spread of Code Red from yesterday - Within hours of the attack, people were writing fixes and workarounds. What if none of these fixes ran, because they weren't properly signed by the original author?
Also consider the following: IIS at the time could have been signed and still been just as vulnerable. Code Red used 'Out of the Box' virgin copies of the programs as written by Microsoft and still wreaked havoc on the net. Palladium would have done little if anything to stop this.

Two points:
1.) Microsoft is offering a false sense of security.
2.) Microsoft is offering a false sense of security.

If Palladium succeeds, and Linux doesn't follow, then Linux machines will be the only computers that can get viruses. How ironic would that be?

Do you *really* believe that Linux gets so few viruses now merely because of its smaller user base? One big difference between Linux and Windows is the permission scheme - you can only do what you are allowed to do in Linux. You can't read/write/execute files where you don't have rights. Linux programs run as users - if you don't trust the program, run it under a user with few rights. It's not perfect, but better than what Microsoft is offering.

Now go to a Windows Machine (95/98/ME - others too?). Boot it. When the login screen pops up, hit escape. Hit 'start', 'run' and type 'regedit'. Change whatever you like. That is not good. Microsoft decided that a lack of security was what the user wanted, then later decided to fix this with a bunch of cobbed-on hokey 'enhancements' that do not correct the original problems. Maybe XP and 2000 fix this somewhat, but I wouldn't know - we have 4 XP laptops at my office that I spend LITERALLY an hour a day maintaining for the users. (Wireless networking problems.) No matter how good the OS is, if it doesn't do basic things for my users, it's less than useless - it's counterproductive.

Microsoft is again waving around their heavy hand and people are frightened that they are going to screw things up even more - I know that I am...

Cheers,
Jim in Tokyo
(Go ahead, mod me 'overrated' - I no longer care...)

Re:Palladium is E-V-I-L

[Lord+Custos]

Did you read the articles at all? It is plainly said that Palladium will not eliminate application layer virii. That means Joe Sixpack *will* be getting more Outlook & Word virii. What he won't be able to do is to watch unlicensed content. It is plain that this has nothing to do with Joe Sixpack's security but only with content protection Hollywood and total control by Microsoft.
And giving Hillary Rosen the power to DELETE your mp3 collection at a distance and at a whim. I bet when Gates suggested this scheme to her, Rosen creamed in her undies.

Re:Palladium is E-V-I-L

One asshole, under the delusion that's words have magic powers, unintelligent, with no liberty and an overriding urge to shove his moronic religion down everybody else's throat. Sic semper tyrannis.

Re:Palladium is E-V-I-L

[JCMay]

Since when do we measure altitude in degrees? Did you mean elevation?

Re:Palladium is E-V-I-L

[Lord+Custos]

Three side points:
One) Lets see how easy it is for some bored kid to figure out how to get his trojans "legitimately 'signed' " by Microsoft and thus render them "immune" to Palladium blacklisting. and
Two) How long before scumware writers figure out the same "exploit" and get their spyware "signed" and immune to the blacklist. and
Three) How long before all legitimately legitimate software (even Win32) ends up unrunnable (because some smartass alters the Palladium blacklist) and leaves only trojans and spyware are the only things that DO run under Palladium.
Granted this is far-fetched and a bit paranoid, but that doesn't make a world that comes even a fraction of the way to this level of absurdity any less scary.

Re:Palladium is E-V-I-L

[Cyberia]

Bottom line in my opinion, it appears as though the programmers at M$ can't program (at least securely), so they need to rely on hardware to catch their bugs. What ever happened to pride in ones work? I could see it now... "Gee, guess I better hack out 100,000 more of code today, so I can buy that other benz tonight...yeah, the sel edition..."

BTW, has anyone at all addressed what the concequences are going to be for the little guy who is just starting out (freeware/shareware)? I wonder who will controll the signing and how much they will charge, or how long the process will take.

Re:Palladium is E-V-I-L

[The+Rogue86]

So that they can sell you the next version with improved security silly. Why do you think Linux started out so secure no money to be made in upgrades...

Re:Palladium is E-V-I-L

[Scudsucker]

But what if I don't want to go through RedHat? Why should I have to go through some company to roll my own distro?

Re:Palladium is E-V-I-L

[FurryFeet]

Of course, how many times has Microsoft been hacked? Not their misconfigured software set up by users in the field, but their truly important computers, the ones they pay attention to.

Never.

As far as you know.
Really, I don't think they'll advertise it.

Re:Palladium is E-V-I-L

[ochinko]

This is because when it matters, Microsoft's security is tough as nails.

Care to explain this then? Microsoft fails to use own security product

Re:Palladium is E-V-I-L

[MrResistor]

This is because when it matters, Microsoft's security is tough as nails.

I worked in construction for over 10 years, and I can tell you without hesitation that nails are not tough.

Hardened lag bolts are tough.

Glue-lams are tough.

Reinforced concrete is tough.

Nails are not tough.

Nails bend and break with surprisingly little effort, especially when pitted against things that are actually tough.

Similarly, Microsoft has been hacked a few times, and I don't mean their misconfigured products in the field -- unless that includes Windows Update and their source control servers (which were in fact hacked not too long ago and were open for some time).

Re:Palladium is E-V-I-L

[FroMan]

"trolls" = reverse ("sllort")

Congrats people... You've been trolled.

Re:Palladium is E-V-I-L

[NiceGeek]

"I bet when Gates suggested this scheme to her, Rosen creamed in her undies."

*shudder* That's an image that would haunt me the rest of my days.

Re:Palladium is E-V-I-L

[b00+3rn5]

This is generally what happens whenever anti-M$ screaming occurs. None of it comes true. If it did, by their account, we'd be living in some Orwellian nightmare.

Re:Palladium is E-V-I-L

[1010011010]

Microsoft's corporate network was compromised, and its source code repositories touched, by a hacker in the recent past.

Windowsupdate.microsoft.com fell to Code Red.

Re:Palladium is E-V-I-L

[1010011010]

Well, I guess OutLook, Word and Excel won't be on the "whitelist," if they want to avoid macro viruses.

Macro viruses are not binaries, after all. and won't be signed or verified by the program loader or hardware. They're program data, not program code, from the point of view of the OS.

Re:Palladium is E-V-I-L

End the untrusted binary problem. Viruses will be blacklisted by a remote server - no more email viruses, ever

Newsflash: email viruses aren't always binaries. Many of them are scripts, executed by the (trusted) email application.

Tell me this: will I, in my capacity of professional programmer, be able to create trusted applications? If so, I can tell you now that I will have the _capability_ of creating trusted virii.

If not, how will I be able to do my job? If I can only run 'trusted' programs but cannot create them, will I have to send every newly-compiled program off to M$ for 'validation' before I can run and test it?

Re:Palladium is E-V-I-L

[Sylver+Dragon]

As a extra note to this, keep in mind that MS's much touted Windows Authetication Protocol was cracked the same day Bill Gates made the unveiling speech for XP. If it exists, it will be cracked, though I still would rather not have to try in the first place.
As a side note, I like the idea of voting with dollars, and trying to kill Palladium by not buying products that have it, but sadly, this type of thing will only hold up until the GForce/ATI (insert large number here) comes out and has this sort of thing built in. Ya, that Ti4600 is cool now, but will you really want to still be using it in 5 years? People will cave, Palladium will become a standard as soon as the hardware manufacturers get on the bandwagon with Bill. Most of us here on /. may scream, bitch and moan about this sort of thing, and rightfully so, but in the end there is nothing we can do about it. So, I say, start now, get what specs you can on Palladium and start working on breaking it now. The sooner its broken, the sooner hardware companies will give up on paying licensing costs on a worthless technology.

Re:Palladium is E-V-I-L

Holy crap, are you serious? He used to make guys *get out of their freaking cars* in order to collect points.

Re:Palladium is E-V-I-L

[roofingfelt]

The way every talks about TCPA/Palladium, you'd think it was the biblical mark of the beast.

Presumably the first Intel CPUs to contain Palladium support will use a 666MHz FSB (533+133)

Re:Palladium is E-V-I-L

Insightful, my gaping anus!! It's another cleverly disguised goatse.cx link.

Don't you morons check before moderating?!?!?!?!

Re:Palladium is E-V-I-L

If you spend an hour a day maintaining a wireless network maybe your company should hire someone that's better at it?

I set mine up in a couple hours and haven't had to do anything with it. It just works.

Re:Palladium is E-V-I-L

[Spruce+Moose]

Just think how much more money they could be earning if their network wasn't down after being trashed by the Outlook virus of the week.

There's being elitist, and there's having to clean up the same mess over and over again because people can't be trusted not to click on attachments.

Re:Palladium is E-V-I-L

[chris_mahan]

But if the servers are not controlled solely by Microsoft, then who else would have that? IBM? Apple? DELL? USARMY? The French goverment? The Japanese Government? The Saudi Government? The Israeli Government? The Palestinian Authority? The Kyrgystan Government?

In that case, I tell you what: I will go back to pen and paper, because my computer (that I paid for with MY money) will then just be an extension of the government's efforts to suppress free speech and track down terrorists)

And I can nearly guarantee that world governments will get access to Palladium Control Servers, because of the War Against Terror. Think: MI5 in UK, etc.

Re:Palladium is E-V-I-L

[Reziac]

No, *grade 8* lag bolts are tough. Grade 3 lag bolts are not so tough. :)

But it's a good point -- tough (secure) compared to what??

Re:Palladium is E-V-I-L

[Lord+Custos]

You're welcome.

Re:Palladium is E-V-I-L

[unoengborg]

The lower viri count on Linux does probably have
little to do with the smaller user base, but more
with its more educated user base. When Linux becomes
appealing to less educated users it will have a virus
problem too.

Even if Linux is more modularized, with smaller chunks
of code that is easier to audit for security problems,
this in no way protects Linux from virus infectiosns.
Mandatory access control and signed binaries would be
an excelent way of protect Linux systems.

But if you trust the owner of the system, there
is no need too involve hardware, this is only needed
for DRM. So I think somebody in the Linux community
need to set up a CA that could issue certificatess
for code signing purposes. Maybe it could work somthing
like Thawte web of trust for E-mail certificats.
In that system your identity is verified once.
Then you can request as many certificats as you
need. That way you could trust code signed by certain
persons or organizations.

By combining security by good design and by
chryptography we would get very hight security and
it would work not only on special hardware, but any
hardware from the smallest handheld to the largest
mainfraime.

With such competiton MS and their Palladium wouldn't
stand a chance, Especially if we manage to find a
widly trusted and accepted CA. EFF comes to mind.

Re:Palladium is E-V-I-L

Tough as nails meaning tough as nails you hit with a hammer, definitely not finger nails.

Re:Palladium is E-V-I-L

[Billly+Gates]

"By jaundicing themselves against the IEEE's implementation of this important standard, the Linux movement is just putting itself behind the curve in computer security.
"

There is one big problem. Palladium is copyrighted and its use is patened by Microsoft. This gives Microsoft the power to have Linus and RMS actually beg to have the right use it or even boot on x86 hardware. Infact I recall a conspiracy theory over at the register's website regarding palladium as a way to kill the gpl. If Bill refuses to license with gpl code then it can't be used. Remember not only does Microsoft own the patent on using it but under the DMCA its even illegal to reverse engineer it to somehow bypass the security measures. If Bill licenses the use of palladium to linus under a strict nda which forbids gpl code then linux is compromised. To me this sounds dangerous. If palladium was an open standard then it would be different but it is not. It is owned by Microsoft/Intel. If Palladium suceeds then linux on x86 is dead! Period! Its sun, mac or ancient hardware from there.

To me palladium is not the savior but rather the most dangerous thing to happen to linux since the dmca. Infact I believe this is 100x worse then it. This might be Linux's death! This finally gives Microsoft a true monopoly on the x86 level that actually makes it ILLEGAL to compete! Not to mention that if my copy of Windows is deactivated then my pc is a literal doorstop. Can't do anyhting else without. Microsoft and not myself has ownership of my box.

If palladium makes it then I will buy a mac as my next pc. If I need to work with .net for my job or school then linux is over for me and I will have to bend over to Bill or else. What a sad world we live in.

Re:Palladium is E-V-I-L

Where's Enzo when you need him (yes I know he's dead)? There was never a No 1 driver or team orders when he was around.

*cough*Scheckter*cough*Gilles*cough*

The Hipocracy!

[FortKnox]

No, not of MS, but of Slashdot.

When someone mentions they gave up Linux for Windows (don't feel like searching for the link, but it was a story last week), everyone on slashdot supported MS, and ran against Linux.
But, a few stories later, we find ourselves reaming MS.
Now MS tries to address subjects YOU WANT THEM TO ADDRESS, and the linux community is in an uproar.

I'd like to suggest what someone suggested in the "give up linux" article.
We need to STOP railing MS, and start boosting Linux. I don't want Linux to be successful if the success is based on dirty marketing against MS.

What's worse is this wasn't even submitted to slashdot, its an editor attempting to push MS into a story so we can all moan about it.

I think it'd be in Linux's best interest if Slashdot didn't write anything negative about MS, just tech updates or whatever. It'd be a lot more mature than the dung-flinging that goes on here.

This hypocracy is just as bad as putting restrictions on users and preaching online rights...

BTW - I'm expecting a being modded down, especially editor moderation (how do you make a broken moderation system, worse? Absolute power, of course!), I'm just venting some steam (and losing some karma).

Re:The Hipocracy!

[Peyna]

Slashdot = tech community != linux community. Just because there are a lot of Linux zealots that post on slashdot doesn't mean there aren't many other folks out here.

Re:The Hipocracy!

[isorox]

Limiting the number of posts per day is censoring. What was wrong with them hidden at -1??

No, its not. They can still post as an anonymous coward.

Limiting posts per ip, however, is bad.

Re:The Hipocracy!

No, its not. They can still post as an anonymous coward.
Limiting posts per ip, however, is bad.

AC's get 10 posts per day, and it is tracked by IP.

Re:The Hipocracy!

[matt4077]

How come every comment that contains "I'm expecting to be modded down" ends up at +5, insightful?

Re:The Hipocracy!

[SpamJunkie]

the linux community is in an uproar.

Hmm, are you sure? This doesn't sound like much of an uproar to me. Sure, you're worked up about it but everyone else seems pretty level headed.

BTW - I'm expecting a being modded down

Rightly so. Your post is little more relevant than the other trolls.

Re:The Hipocracy!

[gyratedotorg]

Now MS tries to address subjects YOU WANT THEM TO ADDRESS, and the linux community is in an uproar.

i dont remember asking microsoft to determine what software i'm allowed to run on my machine.

Re:The Hipocracy!

[MORTAR_COMBAT!]

because a moderator reads it and thinks, "whoa, they knew what I was going to do before I did it. they must really be smart. I better do the opposite and mod UP."

Re:The Hipocracy!

[sehryan]

I agree, there are probably many, many users who are not linux zealots. I am one of them. But that isn't the root of the problem.

The problem comes in that the editors of slashdot *ARE* linux zealots. And because of this, anything that Microsoft does is always posted with a negative tint. Even if the original poster is trying to be objective, the editor will stick his $0.02 in, basically to rattle the cage of the other zealots on site. The icon for an MS story is Bill Gates as a borg, for crying out loud!

That was what the parent was trying to get at (I think). Editors trolling MS stories and using degrading icons aren't exactly helping improve the image of slashdot (or linux).

Re:The Hipocracy!

[Gonzoman]

Why is it that whenever anything anti-Microsoft appears on /. the microsofties complain about microsoft bashing and then whine that they know they are going to get modded down?

From the number of times I see comments such as the above, they are obviously not getting modded down.

Re:The Hipocracy!

You refer to the slashdot/linux community as a single entity, when in fact it is a very complex system of very many people with very different opinions. The slashdot community is not hypocritical when an article attracting a very large number of microsoft apologists goes against the typical slashdot reaction.

Re:The Hipocracy!

[ajs]

When someone mentions they gave up Linux for Windows everyone on slashdot supported MS, and ran against Linux.

Not I, but that's sort of beside the point.

But, a few stories later, we find ourselves reaming MS. Now MS tries to address subjects YOU WANT THEM TO ADDRESS, and the linux community is in an uproar.

Adressing the subjuct really doesn't do anything. We're concerned about the prospect of OS/hardware DRM and the many possible abuses thereof, not the arm-waving of a convicted market-manipulating monopoly. The simple fact is that MS cannot be trusted, just as Enron cannot be trusted, but that too is beside the point. If Red Hat and Intel were colluding on DRM I would be worried too. This is the sort of thing that could lead us down the road to hardware that does not allow us to write our own drivers or run our own operating systems. It gives large companies (like MS) the hooks to start abusing competitors (especially open source).

Personally, I just don't see this article as being anti-MS so much as anti-corporate. When has Slashdot ever flinched from that possition? What shocked you about that? Did you come to slashdot expecting Forbes?

Re:The Hipocracy!

[friscolr]

I'd like to suggest what someone suggested in the "give up linux" article. We need to STOP railing MS, and start boosting Linux. I don't want Linux to be successful if the success is based on dirty marketing against MS.

It's not the first time someone's mentioned this. Check out this Byte article from Feb 1996, as found on an advocating OpenBSD page. Many of the other tips on that advocacy page are relevant to the linux camp as well.

Re:The Hipocracy!

[jd142]

Learn how to interpret what you read.

Now MS tries to address subjects YOU WANT THEM TO ADDRESS, and the linux community is in an uproar.

No. The main gist of the responses is not that they are upset that MS has addressed the issue, but the way they have addressed the issue.

If I said, "Killing little girls is a bad thing, it should be stopped," and you responded by saying, "You are right, it is bad. I know, we'll stop it by using sex selection to make sure that only male embryos are brought to term." I would get mad at you not for addressing the issue, but for the idiotic solution. That's what is happening here.

Re:The Hipocracy!

Well this is only my opinion but the uproar is because instead of increasing security by improving their code MS think it would be better to just block out everyone elses code.

If it was the government doing this there would be an uproar and since most people dont regard MS as being above the government then an uproar is what you will get.

This is just like the terror debate (is there one?), tackle the problem at the source or simply just wall yourself in.. so its basically freedom vs security..

If Microsoft want to have Apple style control over the hardware they are welcome to Apple style market share.

Re:The Hipocracy!

Man I hope none of the other users on this Unix system want to post as ACs. This a ridiculous, single-user OS bias!

Re:The Hipocracy!

[daeley]

It's because their posts are done with Wizards, don't you know. :)

Re:The Hipocracy!

HIPOCRACY! So, Bill's evil plan is that we are to be ruled by horses?

Re:The Hipocracy!

[FortKnox]

Yes. You are hitting one of the MAJOR points in my argument.

Unfortunately, this is my last post for the day (yeah, slashdot determines how many posts per day I get, and I only get 10), so I can't argue with any other points until tomorrow.

Thanks to the editors for determining how many posts it'll take to defend my position!

Re:The Hipocracy!

[baldass_newbie]

How come every comment that contains "I'm expecting to be modded down" ends up at +5, insightful?

It's seems that some sort of self-doubt as to the posts worthiness results in the moderators taking a conciliatory view.

Of course, I expect to be modded down for this...

Re:The Hipocracy!

[EvilBudMan]

-- This is just like the terror debate (is there one?), tackle the problem at the source or simply just wall yourself in.. so its basically freedom vs security.. --

---

I would rather have more freedom at the expense of greater security, myself.

Re:The Hipocracy!

[nirvdrum]

I'm not a "microsoftie", but I certainly don't condone the bashing of MS. Being junvenile doesn't help your advocacy cause. But the typical answer to that is that there is no advocacy. What them makes you complaining about MS any different from others complaining about you complaining? If you step down from the pedestal, you actually might be able to see better.

Re:The Hipocracy!

[quinine]

yup, you're right. Problem is, it's always been like this; even from the beginning. Bashing Microsoft is one of the cornerstone philosophies of Slashdot and that's not likely to change. If you want news with a "fair" bias, you might want to check here instead.

Re:The Hipocracy!

[Eric+Damron]

"Now MS tries to address subjects YOU WANT THEM TO ADDRESS, and the linux community is in an uproar"

I think the point of the "uproar" is that most of us don't believe that Microsoft is trying to address subjects that we want them to address. Most of us feel this is an attempt to cater to Hollywood and the music industry and possible even kill open source.

We really have no reason to trust Microsoft. This corporation is totally unrepentant of its past crimes and continues to engage in unacceptable monopolistic practices.

Bottom line: It would truly be foolish to embrace anything that Microsoft does with open arms without first carefully scrutinizing its actions. The uproar you are complaining about is part of the scrutiny. I give the Palladium scheme a big two thumbs down.

It IS more about taking control of OUR HARDWARE and limiting OUR CHOICE than it is about security.

Re:The Hipocracy!

Now MS tries to address subjects YOU WANT THEM TO ADDRESS

Things such as them fading away and dying? Not quite. No they don't address that just yet.

Re:The Hipocracy!

[gmhowell]

Did you read the John Lasser article? He was a bit closer to the 'correct' track: "MicroSoft? They make keyboards, right?"

It's a bit stupid to have blinders on. Even if you don't snag code, snagging ideas is not a bad thing. Perhaps MS will come up with some new ideas.

(BTW, when I needed new keyboard/mouse, I went STRAIGHT to the MicroSoft offerings. I don't care who invented optical mice. I just like the ones MicroSoft makes.)

Anyway, I'm surprised you have any karma left, given how often you rail against the party line.

Re:The Hipocracy!

[Ziviyr]

Microsoft never mailed anyone about major security patches that might have stopped the internet from melting down.

But when they have an opportunity to put their psycholinguistics team to use to get people to agree to pay for extra hardware they'll throw a few servers to the use of pumping out email for their cause.

Its your subject line.

Re:The Hipocracy!

[gregbaker]

The Hipocracy... of Slashdot

I've read this kind of thing before here, and it bugs me every time.

Suppose you and I are standing next to each other on the street. You say "I don't like that car" and I say "I like that car." Are we hypocritical? No. We are two different people with two opinions.

If a week ago a bunch of people supported MS plan X and today a bunch of people asserted that it's the work of the devil, there is no hypocracy as long as they are different people.

There are some 4e5 registered users around here. Some of them are probably hypocrits. Some of the editors might be hypocrits. The only way for "Slashdot" to be hypocritical is for all of us to agree to have a single opinion on all issues.

Unless some TOS agreement somewhere has changed, I haven't agreed to any such thing.

Re:The Hipocracy!

[Lord+Custos]

Now MS tries to address subjects YOU WANT THEM TO ADDRESS, and the linux community is in an uproar.
You miss the point entirely. We are asserting that their solution is more of a problem than the original problem. It intrudes where it is not wanted in rather Orwellian fashion and it doesn't even solve the problem!

Re:The Hipocracy!

[kirn_malinus]

Besides, it's all a waste of time anyway. The open source community needs to halt its collective Palladium whining and do something about it. Palladium as a Microsoft controlled standard will never succeed if there is a superior and more openly controlled alternative.

Re:The Hipocracy!

Ha! Very good. The best comment I've read on /. all day.

Re:The Hipocracy!

[Dalcius]

I hope you're being sarcastic when you mention a "fair" bias...

I recall they took down an article regarding Palladium the other week. I didn't personally deem it particularly negative to MS, but it wasn't a positive post presenting a Clean, Marketable Image (TM).

Re:The Hipocracy!

[Buck2]

But ... but ... killing little girls is bad!!

Re:The Hipocracy!

[_Sprocket_]

"Zealot" is one of those really interesting words. There is, of course, a standard dictionary term for the word. However, it does nothing to address the emotional charge behind the word. And it doesn't address how indivudals sometimes play fast and loose with that definition.

I like to think I am not a "Linux Zealot". I am an enthusiast - I choose Linux solutions over Microsoft whenever possible. I distrust Microsoft personally and professionally. But I am more than willing to accept other solutions (I do enjoy Solaris, FreeBSD, and find OS X interesting). I will accept valid criticism of Linux - and there are more than a few points worthy of a critical eye. And I do still run Windows (and Microsoft software) when the situation dictates it.

Some would still label me as "zealot". Which is fine, because although its not as much a catch phrase as "Linux Zealot"... there are Microsoft Zealots too. And they're becoming more common in this forum.

Slashdot's bias against MS is one of the reasons I began frequenting this site. In many ways, it was a reaction to the blatent possitive MS spin that was evident in most tech publications (and still is even though its become more popular to be critical of Microsoft).

Granted - it gets out of hand. Microsoft sometimes gets bashed when theres no reason to. Which is silly. MS offers more than enough reasons otherwise... despite what the Microsoft Zealots claim.

Re:The Hipocracy!

Isn't a 'hipocracy', like a democracy, except it is ruled by doctors?

Anyway, M$ is not addressing security. They merely _say_ they are addressing security. That's something completely different.

Re:The Hipocracy!

[Archie+Steel]

Guys, if you don't like the site's editors, you can always hang somewhere else...no one's forcing you to come to Slashdot!

Re:The Hipocracy!

[isorox]

screw that, my entire 15,000 university goes thorugh 3 proxys!

Re:The Hipocracy!

I choose Linux solutions over Microsoft whenever possible. I distrust Microsoft personally and professionally.

You probably also smell like a rotton onion and your pasty flesh is covered with acne. Get out every once in a while! Don't spend so much time huddled in your basement stuffing twinkies on your mouth while waiting for your 2.4.1.6.3.2.34.2 kernel to compile ("Now my sound card might work!").

Re:The Hipocracy!

[amRadioHed]

It's seems that some sort of self-doubt as to the posts worthiness results in the moderators taking a conciliatory view.

Of course, I expect to be modded down for this...

Hehe, nice try! Too bad it didn't work.

Re:The Hipocracy!

I dont remember you having a brain either.

Re:The Hipocracy!

[A_Non_Moose]

I think it'd be in Linux's best interest if Slashdot didn't write anything negative about MS, just tech updates or whatever.

I agree completely.

Perhaps we should call it windowsupdate.slashdot.org and see what happens. :)

Re:The Hipocracy!

[geekee]

Your analogy is terrible. Micorsoft has a very legitimate solution to a real problem. Unfortunately, slashdot will post any conspiracy theory that's pro-linux over real news that's pro-Microsoft.

Re:The Hipocracy!

[Lips]

Now MS tries to address subjects YOU WANT THEM TO ADDRESS, and the linux community is in an uproar.

But they aren't doing what I want them to address. I want my Windows machines to be reliable and secure. I want the web sites I create for my clients to stay up and not be compromised. But I want to stay in control of my stuff. What Microsoft is doing, they are doing for themselves.

This is the start of the new MSN. The original MSN was meant to be their proprietry network. Total control by them. The open standards Internet explosion changed that. In time, web pages will become "protected content". Every time the average user will go to a non IIS or non signed server, IE will pop up a message saying this server isn't secure. Guess what, 90% of people run IE...

Re:The Hipocracy!

[fishbowl]

>Guess what, 90% of people run IE...

Yeah, and a good number of them will be asking their local nerd "how can I get rid of this annoying 'insecure' deal that pops up all the time?"

And a few of them will get mozilla, a few will get registry edits, and life goes on.

Re:The Hipocracy!

[Reziac]

Well, here's a real question then.. given that somewhere between 40-60% (depending whose stats you believe) of internet servers are *NIX-based.. let's say Palladium is implemented in hardware, and does indeed tend to lock out unsigned code no matter how often the user turns that off. Given that hypothesis:

What happens to servers that need the occasional patch, as they all do for one reason or another? How in the world would digital signing keep up with the flow of patches, which sometimes comes to several a month? (How many sysadmins will jump off a bridge as a result?)

Occurs to me that even if digital signatures are freely provided for free software and patches thereto, all that's required to kill free software in the server environment (the one place where it REALLY has a solid foothold) is to *delay* issuing those signatures .. just enough to make continuing to use free software commercially impractical.

Re:The Hipocracy!

and then whine that they know they are going to get modded down?

A 'lot' of the mods are very, very easily swayed by reverse psychology.

Re:The Hipocracy!

[whereiswaldo]

Try this:

- gather all the names of the people who replied to the previous article you speak of and mark whether they supported microsoft or linux
- gather all the names of the people who reply to this article and mark whether they supported microsoft or linux

Do you think it's the same people who replied to both articles? In many cases, sure, but not all.

And I don't agree with the moderation system either, but you saying "I'm expecting to get moderated down" is like saying sarcastically "I'm expecting to get thrown in jail" after robbing a store.

Re:The Hipocracy!

[Alsee]

Micorsoft has a very legitimate solution to a real problem.

The problem that Palladium solves is that Microsoft and RIAA and MPAA don't trust users and their computers. Computers are general purpose machines and will do whatever the owner tells them to do.

Palladium does one thing and one thing only: Palladium shuts down parts of the hardware if you try to run an unsigned program.

If you're a programmer I suggest you take a much closer look at how Palladium actually works rather than how Microsoft is trying to hype it. It takes control over the computer away from the owner. It is nothing but a vehicle for DRM. Microsoft's "pro-user" claims are all smoke. Is it going to stop viruses? Nope. Is it going to stop spam? Nope. Will it protect your privacy? No, it will help invade your privacy. Companies will be able to use "trusted code" to enforce that they can positively identify you.

-

Re:The Hipocracy!

[_Sprocket_]

Oh, how cruel. You have cut me deeply with a comical stereotype penned in an anonymous hand. How will I ever recover from this "truth" that I have been forced to confront?

All you have to do is say "Microsoft Zealot" and one or two of the turkeys will puff up and come charging out of whatever recesses they hide in.

Re:The Hipocracy!

[Peter+Harris]

Palladium as a Microsoft controlled standard will never succeed if there is a superior and more openly controlled alternative.

There is such an alternative: NOTHING. That's right, hardware that just runs the bloody software that you tell it to. Superior, open, what more could you want?

Re:The Hipocracy!

How will I ever recover from this "truth" that I have been forced to confront?

The first step towards recovery is to admit that you have a problem. Put the twinkie down and back away from the computer.

Also, you might want to cut down on the pr0n.

Re:The Hipocracy!

[_Sprocket_]

OK. Sure. I'll play along. We wouldn't want to ruin the little fantasy, would we? Just like all those "hot babes" you spend your time talking to in chat rooms and for $1.99/min on the phone.

The meat

[The+Bungi]

This is not the entire message, but it pretty much covers it. I removed the intro and market spiel and the "What you can do" section at the end.

It's interesting that I got this since I specifically asked Microsoft to stop sending me *anything* and they complied. At least until now. I guess they pulled out all the email addresses they've collected over the last 8 years.

-------------

As I've talked with customers over the last year - from individual consumers to big enterprise customers - it's clear that everyone recognizes that computers play an increasingly important and useful role in our lives. At the same time, many of the people I talk to are concerned about the security of the technologies they depend on. They are concerned about whether their personal data is being protected. Although they know that computers can do amazing things, they are frustrated that their technology doesn't always work consistently. And they want assurances that the high-tech industry takes these concerns seriously and is working to improve their computing experience.

Six months ago, I sent a call-to-action to Microsoft's 50,000 employees, outlining what I believe is the highest priority for the company and for our industry over the next decade: building a Trustworthy Computing environment for customers that is as reliable as the electricity that powers our homes and businesses today.

This is an important part of the evolution of the Internet, because without a Trustworthy Computing ecosystem, the full promise of technology to help people and businesses realize their potential will not be fulfilled. Ironically, it is the growth of the Internet and the advent of massive computing systems built from loose affiliations of services, machines, communications networks and application software that have helped create the potential for increased vulnerabilities.

There are already solutions that eliminate weak links such as passwords and fake email. At Microsoft we're combining passwords with "smart cards" to authenticate users. We're also working with others throughout the industry to improve Internet protocols to stop email that could propagate misleading information or malicious code that falsely appears to be from trusted senders. And we are making fundamental changes in the way we develop software, in our operational and business practices, and in our customer support efforts to make the computing experiences we provide more trustworthy.

For example, we've historically made our software and services more compelling for users primarily by adding new features and functionality. While we are continuing to invest significantly in delivering new capabilities that customers ask for, we are now making security improvements an even higher priority than adding features. For example, we made changes to Microsoft Outlook to block email attachments associated with unsafe files, prevent access to a user's address book, and give administrators the ability to manage email security settings for their organization. As a result of these changes, the number of email virus incidents has dropped dramatically. In fact, email viruses like the recent "Frethem" virus propagate only to systems that have not been updated - underscoring the importance of updating them regularly.

We are also undertaking a rigorous and exhaustive review of many Microsoft products to minimize other potential security vulnerabilities. Earlier this year, the development work of more than 8,500 Microsoft engineers was put on hold while we conducted an intensive security analysis of millions of lines of Windows source code. Every Windows engineer and several thousand engineers in other parts of the company were also given special training in writing secure software. We estimated that the stand-down would take 30 days. It took nearly twice that long, and cost Microsoft more than $100 million. We've undertaken similar code reviews and security training for Microsoft Office and Visual Studio .NET, and will be doing so for other products as well.

THE TRUSTWORTHY COMPUTING FRAMEWORK

Trustworthy Computing has four pillars: reliability, security, privacy and business integrity. "Reliability" means that a computer system is dependable, is available when needed, and performs as expected and at appropriate levels. "Security" means that a system is resilient to attack, and that the confidentiality, integrity and availability of both the system and its data are protected. "Privacy" means that individuals have the ability to control data about themselves and that those using such data faithfully adhere to fair information principles. "Business Integrity" is about companies in our industry being responsible to customers and helping them find appropriate solutions for their business issues, addressing problems with products or services, and being open in interactions with customers.

Creating a Trustworthy Computing environment requires several steps:

- Making software code more secure and reliable. Our developers have tools and methodologies that will make an order-of-magnitude improvement in their work from the standpoint of security and safety.

- Keeping ahead of security exploits. Distributing updates using the Internet so that all systems are up to date. Windows Update and Software Update Services, discussed below, provide the infrastructure for this.

- Early Recovery. In case of a problem, having the capability to restore and get systems back up and running in exactly the same state they were in before an incident, with minimal intervention.

FIRST STEPS TOWARD MORE TRUSTWORTHY COMPUTING

There is still much work that Microsoft and others in our industry must do to make computing more trustworthy. Here is a summary of some of the progress we've made, six months after my email to Microsoft employees:

- We have changed the way we design and develop software at all phases of the product development cycle. Our new processes should greatly minimize errors in software, and speed up the development process for new products and services.

- Software Update Services (SUS) is a security management tool for business customers that enables IT administrators to quickly and reliably deploy critical updates from inside their corporate firewall to Windows 2000-based servers and desktop computers running Windows 2000 Professional and Windows XP Professional.

- Microsoft Baseline Security Analyzer is a new tool that customers can use to analyze Windows 2000 and Windows XP systems for common security misconfigurations, and to scan for missing security hot fixes and vulnerabilities on a variety of products, including newer versions of Internet Information Server, SQL Server and Office.

- In addition to providing customers with tools and resources to help them maximize the security of Windows 2000 Server environments, we are committed to shipping Windows .NET Server 2003 as "secure by default." We believe it's critical to provide customers with a foundation that has been configured to maximize security right out of the box, while continuing to provide customers with a rich set of integrated features and capabilities.

- The error-reporting features built into Office XP and Windows XP are giving us an enormous amount of feedback and a much clearer view of the kinds of problems customers have, and how we can raise the level of reliability in those products - and that of products made by other companies. As part of this effort, we recently created a secure Web site where software and hardware vendors can view error reports related to their drivers, utilities and applications that are reported through our system. This enables the vendors who work with us to identify recurring problems and address them far more quickly than in the past. All of our server software products will incorporate these error-reporting features in subsequent versions of the products.

- With Microsoft Windows Update, we are completing the customer-feedback loop based on the error-reporting features mentioned above. This globally available Web service delivers more than 300 million downloads per month of the most current versions of product fixes, updates and enhancements. When customers connect to the site, they can choose to have their computer automatically evaluated to check which updates need to be applied in order to keep their system up-to-date, as well as identify any critical updates to keep their system safe and secure.

- We are working on a new hardware/software architecture for the Windows PC platform, code-named "Palladium," which will significantly enhance users' system integrity, privacy and data security. This new technology, which will be included in a future version of Windows, will enable applications and application components to run in a protected memory space that is highly resistant to tampering and interference. This will greatly reduce the risk of viruses, other attacks, or attempts to acquire personal information or digital property with malicious or illegal intent. Our goal is for the Palladium development process to be a collaborative industry initiative.

- We've incorporated what is known as P3P (Platform for Privacy Preferences) technology in the Internet Explorer browser technology in Windows XP, which enhances a user's ability to set privacy levels to suit his or her needs. The P3P standard enables a user's browser to compare any P3P-compliant Web site's privacy practices to that user's privacy settings, and to decide whether to accept cookies from that site.

Identifying and addressing critical Trustworthy Computing issues will require significant collaboration across our industry. One example of the kind of cross-industry effort we need more of is the recent creation of the Web Services Interoperability (WS-I) Organization (http://www.ws-i.org/). Founded by IBM, Microsoft and other industry leaders including Intel, Oracle, SAP, Hewlett-Packard, BEA Systems and Accenture, WS-I's mission is to enable consistent and reliable interoperability of XML-based Web services across a variety of platforms, applications and programming languages. Among other things, WS-I will create a suite of test tools aimed at addressing errors and unconventional usage in Web services specifications implementations, which in turn will improve interoperability among applications and across platforms.

Re:The meat

[Reziac]

I feel slighted. I'm not only on a couple M$ mailing lists, I'm a flippin' shareholder, and *I* didn't get this email!

Tho as a M$ shareholder, my response to M$ is this: lay off the control freakery. You hurt my stock value with XP's activation crap; you'll damage it more with Palladium. This is not responsible corporate behaviour (defined for this purpose as "your first duty is to your shareholders").

Progress indeed, and innovation

[SpatchMonkey]

• There are already solutions that eliminate weak links such as passwords and fake email. At Microsoft we're combining passwords with "smart cards" to authenticate users. We're also working with others throughout the industry to improve Internet protocols to stop email that could propagate misleading information or malicious code that falsely appears to be from trusted senders. And we are making fundamental changes in the way we develop software, in our operational and business practices, and in our customer support efforts to make the computing experiences we provide more trustworthy.

Now this is progress. From actions like these in the computer software industry we can see that they are gradually moving away from the 'hacker' mentality (as in 'hack it together and hope it works') to a more formal design process. Like, software engineering might actually live up to its title!

And the closer computing gets to more comfortable real-life metaphors, such as using human-orientated media such as eyeballs and fingers, the more comfortable people will generally find the technology.

Aye man. Innit.

Re:Progress indeed, and innovation

[germinatoras]

We're also working with others throughout the industry to improve Internet protocols to stop email that could propagate misleading information or malicious code...

I hope you don't actually buy into this! Allowing Microsoft to 'improve' internet protocols would be releasing a bull in a china shop. Besides, who is responsible for the vast majority of email that propagates misleading information or malicious code? Hint: It ain't Pine.

Re:Progress indeed, and innovation

[SpatchMonkey]

It isn't just Microsoft, they did mention that they are "working with others".

And yes, their products in particular do have a problem with this - it is good that they are trying to sort it out by humbling themselves to ask advice of others rather than pompously ignoring it.

Re:Progress indeed, and innovation

Eyeballs and fingers? Ick! I don't want a computer to be staring back at me. Ditto with the rest of the major appliances and furniture. I'm sorry, but I like my refrigerator just the way it is, thankyouverymuch.

Homogeny and missing virtue

[germinatoras]

I used to register microsoft {soft|hard}ware when I purchased it, but I stopped a while ago when I got spammed like this. Anyway...

The scariest part of this e-mail is Microsoft's blame on "loosely-knit" services as a key source of vulerabilities. I hold the belief that homogenous, not hetergeneous systems are more vulerable to attack.

The implication is that Microsoft thinks an All-Microsoft shop is a secure shop. I suppose their newly-created inititive to focus on security has twin goals: Increase the reliability of their software, and push customers into an all-Microsoft environment.

The end result will be a much more vulnerable network. Not necessisarily because of using Microsoft software, but because of keeping everything homogenous.

Re:Homogeny and missing virtue

[germinatoras]

That makes sense. Maybe it's not quite the conspiracy I made it out to be.

btw, that's the most kind, gentle correction I've ever received on Slashdot. :)

Re:Homogeny and missing virtue

[mla_anderson]

As long as all software ever used is Microsoft software then the system is reasonably safe...once you allow other people and/or companies to develope software an MS system becomes insecure.

So hands up for everyone who wants to run only MS software.

My hand is most definately down.

I'm too lazy to write a sig

One-time Mailing?

Where does he say it is a one-tme mailing?

This is the first in an occasional series of mails that CEO Steve Ballmer and I, and periodically other Microsoft executives, will be sending to people who are interested in hearing from us about technology and public-policy issues that we believe are important to computer users, our industry and everyone who cares about the future of high technology.

[emphasis mine]

The Right to Read

[Kafka_Canada]

A nice, and a propos story by RMS, called The Right to Read, can be found here. Definitely worth the read.

Re:The Right to Read

[dafozzee]

But what if they revoke my licence to read it?

Interesting logic...

[antirename]

Passwords are a weak link, but Passport isn't? Doesn't Passport ask for a password? Oh, never mind, I get it... that's what we need a smart card/universal ID for... I feel much safer now.

I posted the same thing

I posted the same thing but it talked more about Trustworthy computing....which is what the spam-gram is about.

the mail can be found there. Quite annoying really.

Link down?

[Mr.+McGibby]

Right now I get:

Sorry, we were unable to service your request. As an option, you may visit any of the pages below for information about Microsoft services and products.

Loosing LinTel? Why worry?

[Minkey+Brines]

I don't see what the problem is... There will always be sheeple who can't live without Micro$oft dominating their lives, stripping them of their freedom. Palladium is simply the glue that finally binds Microsoft to Intel to make WinTel.

Is that so bad? I mean, yes Intel x86-based hardware is cheap. Palladium hardware will probably be cheaper (due to an easement of fears about Digital Rights Management).

So what? We should only worry about it if we can only see Linux as LinTel. In fact, it is not. It runs on just about any platform in existance. So, don't worry... Be happy! Let go of Intel/Palladium. Follow Linux where it can go.

Another take on DRM

[astrashe]

I think the community's response to DRM is wrong. I don't think that the analysis of it is wrong -- it's a very negative technology. But I think the response is a little off.

If MS wants to put the interests of the large media companies ahead of the interests of its own customers, the people who actually buy the computers and the software, why not let them take it to the market? Let's let the market decide what it thinks of that. Let's give them enough rope to hang themselves.

The thing that we have to worry about is some sort of legal framework that requires all computers to respect some DRM system.

MS is way ahead on the desktop, and their systems have gotten a lot better than they used to be. The only way they're going to get dislodged from that position is by making a really catastrophic mistake.

This could be that mistake!

I think there's a lesson in the current stock market scandals. The big companies can buy legislators. They've shown that they can derail effective regulation of accounting rules. They can set things up so that a crooked CFO who bilks people out of billions and sends the markets into a spiral that wipes out the savings of millions of people gets a lighter punishment than a punk who robs a liquor store.

But in the end, there's nothing they can do against the force of the market itself. They got cocky -- they thought they could get away with anything. It turns out that they can't.

Neither can the DRM boys.

Re:Another take on DRM

[7-Vodka]

actually, while the companies with crooked accounting went down in a ball of flame; most of the guilty white-collars responsible for it got out early with millions and are now pleading the 5th in front of congress. Not a single one has gone to jail yet. Anyone wanna place bets on whether any will?

Re:Another take on DRM

[southpolesammy]

I think there's a lesson in the current stock market scandals. The big companies can buy legislators. They've shown that they can derail effective regulation of accounting rules. They can set things up so that a crooked CFO who bilks people out of billions and sends the markets into a spiral that wipes out the savings of millions of people gets a lighter punishment than a punk who robs a liquor store.

You know, I began to think about this statement, and realized that what the corrupt corporations are doing is no better than the mob making a living by racketeering. The punk robs a few bottles and perhaps some cash, the mob takes the entire store and sells it at a loss to pad their own pockets. It's really no different at the corporate scandal level.

Re:Another take on DRM

[lunenburg]

If MS wants to put the interests of the large media companies ahead of the interests of its own customers, the people who actually buy the computers and the software, why not let them take it to the market? Let's let the market decide what it thinks of that. Let's give them enough rope to hang themselves.

The thing that we have to worry about is some sort of legal framework that requires all computers to respect some DRM system.

Bingo. That's the danger with "letting the market decide" on DRM. If it was that simple, we wouldn't have anything to worry about, because DRM-restricted technology would die a firey death so horrible it'd make Circuit City's Divx look pretty. Big Hollywood knows this, so in addition to pushing DRM to the major technology players, they're going to Congress to make any technology that doesn't do DRM illegal.

So we'll get a situation where Microsoft/AOL/Sony/etc. all get the license to provide the legal DRM systems, and anyone who wants to develop any innovative new technology will have to get the blessing from the DRM priests before they can bring that technology to market. If you thought corporate technology monopolies were bad before, wait 5-10 years.

Re:Another take on DRM

[EvilBudMan]

--If MS wants to put the interests of the large media companies ahead of the interests of its own customers, the people who actually buy the computers and the software, why not let them take it to the market? Let's let the market decide what it thinks of that. Let's give them enough rope to hang themselves.

The thing that we have to worry about is some sort of legal framework that requires all computers to respect some DRM system.--

You, bet, but I wouldn't count on them hanging themselves. M$ has plenty of cash to grease the wheels. They'll just get a law passed and you will have to choice but DRM then.

Re:Another take on DRM

[t]

Even if a law requires it, it can still fail spectacularly. Imagine that the law passes and they say that on Jan 1, 2003, all computers sold must be compliant. There'll be huge rush on the grandfathered computers. I find my 900MHz Athlon from years ago still more than capable for everything I do. What will happen is after Jan 1, 2003, sales will plummet. Intel/Asus/etc... will start bleeding money like never before. Sales will be completely stagnant. Can the populace wait 1 measly year before buying a new computer? Easily. Can Intel et al survive a black year? Hell no. The laws will get negated faster than a virus appearing in your email.

t.

Re:Another take on DRM

[quantaman]

DeCSS ring a bell?

What happens when the media giants decide only M$ can legally play the media that they distribute?
If the media giants say only M$ can play those formats they have the DRM they've been looking for all along. Of course once this happens as opposed to being less attractive by violating your rights M$ will infact become more attractive because they will be the only ones who are allowed to use the media at all!

Re:Another take on DRM

But what if people 'just get used to it' (in reference to DRM)? People 'just got used to' the insane crashing that Windows 9x was known for. The consumers accepted it as a necessary evil, I guess, since not that many people were even switching to Windows NT on the desktop. Much less, for example, OS/2 (which could run most Windows software).

Now, if people can't decide on their own to switch from Windows 9x to NT due to stability, how are they going to switch from Windows 'XP+DRM' to something as foreign as Linux, MacOS X, BSD, or whatever other projects show up? But maybe you're correct :). We'll see soon, for better or for worse.

Comment removed

[account_deleted]

Comment removed based on user account deletion

OpenBSD

[oliverthered]

I think the BSD licence lets them use the whole OS as a basis for a closed source system, I wouldn't put it past them.
I'm sure bill would manage to slip an extra O in there somewhere though.
OpenBSOD

Re:OpenBSD

[questionlp]

Knowing Microsoft's history of "secure" software, I think OpenGates would be a better name. Not only would it match the first release's security (pre-SP4 that is) but also help inflate Gate's already enormous ego. The last bit is a good thing, right? ...anyone? :)

Re:Kittens?

Here is something that may help

Hit reload...

I got the same thing my fist couple of tries. Hard to believe that Microsoft got Slashdotted...

losing some karma

Ever notice how half the +5 comments on Slashdot mention the poster expects to be modded down?

Re:losing some karma

[baldass_newbie]

It's seems that some sort of self-doubt as to the posts worthiness results in the moderators taking a conciliatory view.

Of course, I expect to be modded down for this...

Re:losing some karma

"Nine out of ten women would have taken the whip away from [Nietzsche], and he knew it, so he kept away from women" - Bertrand Russell

linking...

[Destoo]

I wonder why the article is all linking back to microsoft's sites, in the WHAT YOU CAN DO section.
I mean, there's bound to be more sources of information on the security Microsoft has to offer, no?

Anyone tried to read that page with Netscape 4.7?
xx-small fonts... yowtch.
Somehow it is showing up properly on IE. (sarcasm)very strange(/sarcasm)

Umm, no

[dant]

Now MS tries to address subjects YOU WANT THEM TO ADDRESS, and the linux community is in an uproar

Who here do you think wanted MicroSoft to address DRM in the operating system? I'd guess almost nobody.

Who here do you think wanted MicroSoft to address the 'problem' of users having complete control over their own machines? Again, nobody.

I see no change in attitude here at all. The Slashdot crowd has always disliked DRM and giving Bill the keys to your computer--and that's exactly why there is so much anger at Palladium.

And while I agree with you that we'd be better off boosting Linux than trashing MicroSoft all the time, you still have to point out significant dangers when you see them.

Re:Umm, no

[nirvdrum]

Don't speak for a crowd that you are not qualified to represent.

If my memory serves me right...

[MsGeek]

...Windows Update once got hammered by Code Red. "Hacked By Chinese" in big block letters. There goes your theory down in flames.

Nice FUD but ... Re:Palladium is E-V-I-L

[gilroy]

Blockquoth the poster:

Of course, how many times has Microsoft been hacked? Not their misconfigured software set up by users in the field, but their truly important computers, the ones they pay attention to.

Never.

Hmmm. A quick search on google yielded:

• http://www.attrition.org/security/commentary/ms16. html : Including the Windows Update site -- which I suspect they "pay attention to".
• http://www.computeruser.com/news/01/01/25/news9.ht ml
• http://www.vnunet.com/News/1115617
• http://cert.uni-stuttgart.de/archive/isn/2001/05/m sg00028.html

Indeed, that first page includes the interesting fact:

This makes the 17th time a Microsoft Web site has been defaced including the corporation's global sites in Brazil, Slovenia, New Zealand, Mexico, UK, Saudi Arabia and South Africa as well as six servers from their corporate headquarters.

So I guess for Microsoft, "never" has the same definition as "always" does for their uptimes: some short duration.

Re:Nice FUD but ... Re:Palladium is E-V-I-L

[elmegil]

Obviously sllort wasn't paying attention when it was announced that the source code to windows had been compromised by Russian hackers. Hardly "never".

Re:Nice FUD but ... Re:Palladium is E-V-I-L

[Gandalf21]

Actually, how many times has Microsoft been hacked, and not mentioned it to the public (the same way banks and credit card companies hide their problems)?

Re:Nice FUD but ... Re:Palladium is E-V-I-L

[1010011010]

Exactly. We *know* that Microsoft's source code has been compromised by 'hackers.' It was in the news!

But, oh yeah, it's the verifiable open-source code we have to worry about -- that's the dangerous stuff!

Re:Nice FUD but ... Re:Palladium is E-V-I-L

[Badaro]

This makes the 17th time a Microsoft Web site has been defaced including the corporation's global sites in Brazil, Slovenia, New Zealand, Mexico, UK, Saudi Arabia and South Africa as well as six servers from their corporate headquarters.

Just a correction, in the brazilian case, Microsoft was not hacked. You see, www.microsoft.com.br is just a redirector to www.microsoft.com/brasil, and is IIRC mantained by Terra. And only this redirector was hacked.

[]s Badaro

Microsoft IP

[gwernol]

One of the ...ahem... interesting things Bill says is: "We're also working with others throughout the industry to improve Internet protocols to stop email that could propagate misleading information or malicious code that falsely appears to be from trusted senders." (emphasis added)

Bob Cringley has written a couple of good articles on eactly this, the second related directly to Palladium. Check them out.

Cringley also has an article on the consequences of Palladium not working.

Re:Microsoft IP

[2Bits]

One of the ...ahem... interesting things Bill says is: "We're also working with others throughout the industry to improve Internet protocols to stop email that could propagate misleading information or malicious code that falsely appears to be from trusted senders." (emphasis added)


Hey, I don't have problem with that, if that can stop all the FUDs and other craps from Redmond...

Re:Microsoft IP

[pmz]

Cringley also has an article [pbs.org] on the consequences of Palladium not working.

It's interesting that people are already devising their methods of attack, even before the technology is really available. If I recall correctly, the same happend with .NET a while ago, where someone devised a .NET virus or worm before .NET was released.

I think most humans are chronically short-sighted yet enthusiastic and optimistic, but a few other humans are mischievous, cynical, and smarter than the rest. This is why Palladium will not live up to its promises (i.e., Microsoft is among the optimists, and, thus, already blind to their errors).

Freedom on the Internet, where copyright has its place but isn't enforced blindly by technology, is the only way to ensure the continuing success of the Internet. Freedom is what fuels much of our enthusiasm for learning. Freedom also fuels integrity, because politicians and executives fear the spread of knowledge. Microsoft threatens both learning and integrity.

I really enjoyed this from the DRM workshop story: "...it was the job of content producers and the tech industry to offer consumers something 'better than free.'" Even when faced with Freedom, Linux distributers started selling usefully packaged distributions and services. Many companies sell bottled water, which in some countries can save your life. One doesn't have to go far to find pre-cut firewood on sale nor very far to have gravel delivered for a driveway. Somehow, lots of people have figured out ways to sell something that is otherwise free.

The lesson is that content providers, so far, just haven't been thinking very hard. If their content is so valuable, then they should be able to package it in some manner thay entices some people to buy it. They just have to accept that only a subset of consumers will actually buy it (as with Linux or firewood) but be savvy enough to get a lot of people to buy it. This is all they need to stay in business.

Run You Fools!!

[cOdEgUru]

In my mind I see hundreds of SysAdmins at M$ waking up from their afternoon slumber scurrying across their cubholes screaming ....eeeee slashdot....iiiieeeeeee....

Maybe we should make it a Friday thing, post a note on the main page requesting all anti-M$ geeks to click on a M$ story or another Bill's email at sharp 3:00 Eastern time (which happens to be 12:00 lunch time for Seattle when all the Sysadmins at M$ happen to be beefing up on Tofu).

3:30 Eastern Time : Long live www.microsoft.com!

What about Linadium?

[Rantastic]

Linadium is a new chip that will be placed in all computers so that they only run code that Linus signs. Linus promisses to only sign code that is totally secure, in this way he will help Microsoft by saving them time and money.

Incedentally, it's pronounced so that the "lin" rhymes with bin, not wine.

I smell a TROLL

[LNXd00d]

D00D, you're post is so full of shit I dont even know where to start.

If Palladium succeeds, and Linux doesn't follow, then Linux machines will be the only computers that can get viruses. How ironic would that be?

Um, Linux has never had a virus. EVER. NEVER!!! Palladium is not going to make a million virii suddenly pop out of nowhere for Linux and start infecting machines. Linux has a little thing called USER SECURITY that pretects users from loosing data to virii like that.

* End the untrusted binary problem. Viruses will be blacklisted by a remote server - no more email viruses, ever
* End the trojan horse/worm problem

If Micro$uck didn't make Outlook suck so dam much, we wouldn't have to worry about trusted binarys to begin with!!

Big companies like IBM (and especially the government) may use it for document control, but that's about it.

ANY amount of control over my computer is a voilation of my RIGHTS. It doesnt matter if its the computer at my house or my workstation at work. My IT department has NO BUSINNESS telling me what I can and can't run on my workstation. It's MINE.

Your such a troll you make me want to kick Bill Gates in the ass for paying you to post that comment. Linux rules. There's just nothing better, and Micro$oft knows this. The only way they can stop linux is by taking total control of computers, and this is exactly what their doing. I'm not going to stand idly by while they take my rights away from me.

Re:I smell a TROLL

Your so full of shit I don't know where to start!

Re:I smell a TROLL

> Linux rules. There's just nothing better

Hah haaaaah ha ha ha ha whoooooooh oooh hooo hoo hooo - haaaaarggh haaa haa haa haaaaaaaaa - eeeeeeeeh heeeeeee heeeee heeeeeee - bwaaaaaaaah haaaaaaah aaaaaaah [etc.]

Re:I smell a TROLL

[Maeryk]

Um, Linux has never had a virus. EVER. NEVER!!! Palladium is not going to make a million virii suddenly pop out of nowhere for Linux and start infecting machines. Linux has a little thing called USER SECURITY that pretects users from loosing data to virii like that.

Sure it does. SO does Outlook. Its called "turn off the preview pane" among other things. There are plenty of trojans for Linux. Whether you consider them a "virus" depends on whether you know what you are talkign about, or are a copy writer for MSNBC.

ANY amount of control over my computer is a voilation of my RIGHTS. It doesnt matter if its the computer at my house or my workstation at work. My IT department has NO BUSINNESS telling me what I can and can't run on my workstation. It's MINE.

Uhh.. really? I think you are pretty severely mistaken. As long as you are operating within the laws, yeah.. you may be right. But everyone has plenty of business telling you what you can and cannot run on your workstation. Pirated software, illegal content, running a webserver without permission on someone elses network.. these are all things you AINT SUPPOSED TO DO.

Screaming "you are violating my civil rights by not letting me break the law" is rediculous.

Your company has EVERY right to tell you waht they do or dont want you running on "your" (their) workstation. Why? Corporate licensing, lack of compatibility with their preferred software, their agreements with software manufacturers, and their liability for a few.

Linux doesnt "rule".. it does perform very well in certain situations.. Windows does too, depending on what you are looking at for a system.

dude.. rm -rf /ass/head will ya?

Maeryk

Re:I smell a TROLL

[Archie+Steel]

I think the point he was trying to make is that stuff that he can run now will no longer run in a Palladium world. Consider the case of Open-Source programmers whose applications they may not be able to have signed (unless they pay premium fees or wait six months in a "validation" queue). Hey, let's say I write a Perl script to automate some tasks on my computer: will I be able to run it on Palladium hardware? Surely I won't be able to sign it...

I see Palladium as the content industry's Trojan horse. It's pretty clear that they want to shut out smaller, independent players from a market they already control. Fact is, Hollywood has been making more money, not less, since piracy has started. And if the record industry has been selling less CDs, it's mostly because of two things: a) they publish more crap than quality and b) people are buying lots more DVDs nowadays (with either the same amount of disposable income or less). Check the numbers and do the math, and whatever you do don't believe the hype that Palladium is "trustworthy computing".

Re:I smell a TROLL

[Maeryk]

I see Palladium as the content industry's Trojan horse. It's pretty clear that they want to shut out smaller, independent players from a market they already control. Fact is, Hollywood has been making more money, not less, since piracy has started. And if the record industry has been selling less CDs, it's mostly because of two things: a) they publish more crap than quality and b) people are buying lots more DVDs nowadays (with either the same amount of disposable income or less). Check the numbers and do the math, and whatever you do don't believe the hype that Palladium is "trustworthy computing".

I agree 1000% with what you have said. But boneheaded statements like NO ONE HAS THE RIGHT TO TELL ME WHAT TO RUN! are ludicrous. Which was my point. I certainly dont think Palladium is a GOOD thing.. but at the place I work, someone very nearly got fired for CONCATENATING TWO LINES when configuring a print server. THe network security boyz called it "hacking" to put two lines together instead of using a return and second line. (Course, this is on really freakin old emulex hardware).

Still.. screaming like an idiot wont help anyone.
And saying "if I can rip it, you cant stop me" doesnt help our cause either.

I agree MP3's are illegal. As are pirated movies. Do they help the movie industry? In my case they do.. I saw AOTC pirate before I saw it in the theater.. and it looked good enough that I actually paid to see it.. otherwise I would have waited for it on HBO. Same with MIB2.
But that doesnt justify pirating movies. Its *still* illegal.

Maeryk

Re:I smell a TROLL

[Archie+Steel]

It is true that piracy can sometimes help sales...I remember reading an interview with one of Sony Computer Entertainment Europe's bigwig, who admitted that piracy had helped make the first PlayStation one of the most successful game consoles in history. I think that, if Hollywood and the record companies want to keep making money, they need to have added (non-virtual) value to their offerings. Case in point, the Memento special edition DVD. It looks too cool, I had to buy it...even if it was more expensive than the regular one. Same thing with the special edition "book" Kid A album by Radiohead. These are nice objects - you want to own them. Now compare this to a 15$ CD with no lyrics in a jewel case that breaks if you drop it...

I agree though that boneheaded statements will get us nowhere, and actually play into the MP/RIAA's hands.

Re:I smell a TROLL

even better than that.

how about when M$ saind nothing and looked elsewhere for years while everyone in asia was getting a pir8 copy of win95/98 UNTIL THERE WAS A BIG USERBASE... and then start prosecuting and making money from the law-breaking companies?

piracy does have a profitable side.

No, he's correct

[FreeUser]

Actually, you're wrong. Palladium gives a corporation the ability to whitelist executables within their organization, blocking all but the ones they have personally inspected. You refer only to the default configuration.

Ever here of Microsoft Word & Excel Macro Viruses?

Trusted, signed software doesn't mean you aren't vulnerable. Just because the command reformating your hard drive was signed by Microsoft doesn't meet you're going to lose any less data.

The only way to fix these vulnerabilities is to remove the indredibly stupid "features" like having a mail reader be able to execute any program (signed or not), and remove javascript, ActiveX, and whatever other stupid 'extended scritping' nonsense IE is putting in their browser these days.

Palladium does nothing to secure the computer, all it does is insure the computer can only be used the way [insert authority figure here] deigns to allow you. Whether that authority figure is the Government, Microsoft, Apple (who would presumably be on board in a DRM world), the RIAA, the MPAA, or my local ISP makes little difference ... the notion is repugnant, and should be to anyone over the age of four who has any shred of dignity or desire for self-determination.

Re:No, he's correct

[Eccles]

The only way to fix these vulnerabilities is to remove the indredibly stupid "features" like having a mail reader be able to execute any program (signed or not), and remove javascript, ActiveX, and whatever other stupid 'extended scritping' nonsense IE is putting in their browser these days.

Or enhance your access control. My mail program should have access to my mail-related files, the ability to contact the mail server, and the ability to do various mail-window related display stuff (if graphical) or output text to the associated tty (if not.) Increase the scope of your access control so it doesn't just protect files; that's how you'll increase overall security.

Not aiming very high!

[ddstreet]

Quoth Bill Gates:

Six months ago, I sent a call-to-action to Microsoft's 50,000 employees, outlining what I believe is the highest priority for the company and for our industry over the next decade: building a Trustworthy Computing environment for customers that is as reliable as the electricity that powers our homes and businesses today.

Well that's reassuring! I think the general population of California would like for computers to be a bit more reliable that their electric grid!

And even if you're not in CA, electric power is notoriously unreliable. Brownouts, power outages, power spikes, 120V vs. 220V, etc. Is Bill trying to tell us that Windows will never be reliable at all?

Re:Not aiming very high!

[nirvdrum]

I doubt it. Do you depend on electricity to be productive? I think that's his point. I could be wrong though, I left my linux shades at home today, so I'm seeing things a bit more clearly.

Re:Not aiming very high!

[ddstreet]

Oh, I see. So as long as I have the software equivalent of a UPS (with surge protection and circuit isolation), and don't live in California, and don't use any application that requires the software equivalent of 220V (assuming my Windoze version is the 120V version), then Windoze will be quite reliable...oh, and no (software version of) a storm, we can't have that.

Not the best comparison there...since electricity is actually a quite unreliable source, without hardware to make it reliable (UPS). And it's simply not reliable in CA (and many other places in the world outside the US!).

Re:Not aiming very high!

[nirvdrum]

Read my post before you just spout off the same thing you said. I made no comment on the reliability of electricity. What I did say was that the dependability is there, and that's probably what he was aiming for.

Re:Not aiming very high!

[rabidcow]

I think the general population of California would like for computers to be a bit more reliable than their electric grid!

Considering that most computers rely on the electric grid to function, I suspect that's unlikely.

I mean yeah, you could have everyone buy a UPS or generator with their computer, but I doubt that'll happen.

Re:Not aiming very high!

[ddstreet]

I made no comment on the reliability of electricity. What I did say was that the dependability is there

Reliability and dependability are synonymns, dude. So what the hell are you taling about? Oh, you don't know...? Ok, thought so...

Re:Not aiming very high!

[ddstreet]

I mean yeah, you could have everyone buy a UPS or generator with their computer, but I doubt that'll happen.

Right, I'll bet barely any businesses (and certainly no end users!) have UPSes. Except for me, of course, I'm just wierd. But nobody else. And I know for a fact that nobody uses surge protectors, ever. Yeah. That'd just be silly, seeing as how electric power is so reliable that it never surges or anything.

Re:Not aiming very high!

[nirvdrum]

Hey, jackass, ever heard of a connotative meaning? Yeah, because you simply can't depend on something that isn't reliable? You've already proven that electricity isn't reliable. Prove to me how you don't depend on it. Until you do so, you've proven nothing.

Re:Not aiming very high!

What crawled up your ass? You're just biting the head off of everyone who replied to you...

The majority of home users do not have a UPS. If you do, then yes, you're weird.

Re:Not aiming very high!

[ddstreet]

You've already proven that electricity isn't reliable. Prove to me how you don't depend on it.

Since you still don't seem to understand that dependable and reliable are synonyms, or maybe you don't know what synonym means, I think I'll just leave this pointless conversation with links to the definitions of the words.

Re:Not aiming very high!

[ddstreet]

The majority of home users do not have a UPS.

And as I said, they don't have surge protectors either. That's absolutely a true fact, as there is no need for surge protection due to the high reliability of electric power.

Re:Not aiming very high!

[nirvdrum]

May I should just repost my last post? Seems you just want a recursive argument. Why argue if you're going to ignore what the other person says? I know what a synonym is. Do you know what a connotative definition is? You've quite clearly shown that electricity is not reliable, then why do you depend on an unreliable service? And, btw, you're point about synonyms would have been much better sited by a thesaurus (look it up on dictionary.com).

Try answering the question asked, rather than skirt around it.

100% agreement

[captain_craptacular]

If I could I'd mod you up!

What about Palladium and Apple?

[st0rmshad0w]

Having seen MacWorld NY and nifty little gizmos like a 20gig iPod that should have media corps coughing up hairballs in a matter of days, what of Palladium and DRM when it comes to Apple?

Now granted the **AA's would just love to have a very tight DRM system, and Palladium underneath it all would be like a market research holy grail(knowing the marketeers behavior), but thats all at this point a Windows thing.

Setting aside OSS for the moment, what about the few other players? Apple primarily, but there are a few others. And what if someone wants to truely innovate a new OS?

This is _way_ too controlling a system. I think the barrier to entry would effectively become a steel bulkhead (for any truely new OS).

And what exactly is Apple's position on all this? Especially since OS X. And sooner or later there will be a fairly usable Darwin for x86. If the hardware begins to limit the software as is predicted, them perhaps MS should just make its own hardware for its new OS's. Open up its abandon-ware for the rest of us and strike out along the path of Apple.

Frankly I think all of this is going to fail. And no system will be secure until we can get rid of the users =P

Re:What about Palladium and Apple?

[bnenning]

And what exactly is Apple's position on all this?

Apple doesn't like DRM. Their entire digital hub strategy is based on easily being able to manipulate digital content.

Re:What about Palladium and Apple?

[st0rmshad0w]

Exactly. So what happens if a Palladium/DRM(P/DRM) scheme is widely implemented? Will Macs and P/DRM pc's have some issue accessing one anothers content? Gate's has been talking about altering internet protocols, how the hell does he plan to do that? Sounds like bad news if you ask me.

Re:What about Palladium and Apple?

[tbmaddux]

... what of Palladium and DRM when it comes to Apple?

Obviously "Palladium" per se won't be implemented on MacOS X, and I don't know whether Motorola is participating in the TCPA or if Motorola will even be around for much longer. But -- Try doing a screen capture while playing a DVD in your Mac, right now. You can, but you won't get a frame of the DVD -- it'll be blank. Why do you suppose that is?

Re:What about Palladium and Apple?

[Jeffrey+Baker]

It is because the DVD software writes the video stream to the video card's scaling and colorspace conversion engine, not directly to the framebuffer. Nothing nefarious.

Re:What about Palladium and Apple?

I believe that was required for the DVD license though.

What Must Palladium do?

[ratboy666]

I have written this article before, and so I'm not going to repeat myself. Go see Article (#3842766) for the details on exactly why Palladium is REALLY, REALLY bad for your computer. As to it being a "security" thing, preventing "viruses"... It can't. Palladium can only make computing more difficult. Ratboy.

Mad points to the virus writer...

[Chris+Pimlott]

...who had Bill Gates mentioned his virus by name

Re:Mad points to the virus writer...

[CowbertPrime]

uh. that was because Frethem is the newest virus to hit the net according to SARC. (it is also a stupid worm that carries no payload except for spreading itself).

What about the homework?

[WaterMix]

A naive Palladium question for the more learned among us: If Palladium-compilant hardware will only allow signed binaries to execute, and 'normal' users can't sign binaries as Lasser suggests, how are people supposed to create and run their own software? How would a CE/CS student test his/her homework?

Won't somebody please think of the children?

Re:What about the homework?

I think the point is that you don't run your own software. Obviously, if you're an individual who's programming you're making the next virus or worm, so what you produce shouldn't be signed. People don't program for fun or to build 'real' software, that's just a foolish thought ;).

It's spelt 'hypocrisy'

idiot.

Slashdot isn't a user.

There's no hypocrisy to speek of here; Slashdot is a group of users united by an interest in technology. Some like what Microsoft does, some don't, and quite a few fall in between. The more vocal members of each of the extremes tend to be attracted to stories that they can rant about.

Re:Slashdot isn't a user.

OK, I went and looked it up...Slashdot IS a user.

Baron: Suqeeze our corporate customers, SQUEEZE!

[tenzig_112]

Headlines yesterday showed that Microsoft's porifits have grown close to 10% in this weakening PC/IT market. Hmmm...how could that be? The Padisha Emperor himself conducted an investigation and found no wrongdoing on the part of Baron Gates and House Microsoft.

Much to the delight of House Microsoft's board of directors, the Baron unleashed Steve "The Beast" Ballmer to extract as much as he can from their corporate customers in the form of "upgrade plans" and other rackets.

Some talk of a vast hidden population of Lemen, yet official sources dismiss the rumors.

Consumer's Choice To Opt In..Another Big Brother

[N8F8]

People wouldn't be so paranoid if this were being discussed more as an option and not somthing hardwired into future hardware and OS versions.

I'll decide what I consider acceptable risk. I've been working with computers for 18 years and havn't had anything I couldn't handle. In fact every problem I have had was a issue with a security hole in a Microsoft product. Now Microsoft is pushing that the only solution is to give somone else the power to monkey with my computer and decide what I can store/run on my hard drive. Get real.

didn't get it

[(startx)]

I didn't get that email....does this mean I'm special?

Re:didn't get it

[Oztun]

I guess that depends on whether you are actually a member of the mailing list or not ;P.

Trustworthy products

[jhines]

The rest of the world backs up products they want to inspire trust in with warranties or some guarantee that the product is actually usable for its intended purpose.

This is something that is notably lacking from MS, their trustworthy intiative seems more about making their EULA more legally binding, without delivering anything to the consumer.

Trusting my machines? Even I don't do that...

[crovira]

While biometric identification through a trusted, controlled and monitored source might satisfy me for everything and using my biometric keys to provide retrieval-only access to my data might satisfy me, there is no way that I would blindly trust the network, never mind the machine for update.

The consequences are too horrific.

I've been a victim of identity theft and it cost some one her LIFE, such as it was, because she chose suicide instead of a long jail term.

This is SERIOUS SHIT. It happens. It happened to some body I knew. But she ripped me off. I turned her in and she funkin' offed her stupid cowardly self. ("People Who Died" by the Jim Carroll Band is running through my head...)

There is NO FUCKIN' WAY I'd trust my Macs or my Linux PC to reveal information on my behalf.

Re:Trusting my machines? Even I don't do that...

[Ziviyr]

because she chose suicide instead of a long jail term.

A single year is a long time, and judges pass them out like they were arcade tokens.

Theres the other part, trusting a third party to make decisions you consider sane. See, I'm on topic! :-)

Yeah right

[sulli]

Mandated by whom? Last time I checked there were several major non-Win OSes out there. Do you really think hardware vendors are SO STUPID as to cripple them all in the processor? Or to allow Congress to require same without a very hard fight?

Re:Yeah right

[schon]

Do you really think hardware vendors are SO STUPID as to cripple them all in the processor?

If they're given the option of "Drop support for non-palladium systems, or we stop selling windows to you"

Then YES. Read the transcripts from MS's trial. They've done things like this already, and the manufacturers have caved.

Re:Yeah right

[gilroy]

Blockquoth the poster:

Do you really think hardware vendors are SO STUPID as to cripple them all in the processor?

Hmmm, let's see.

• Recently, business sales of new CPUs have fallen off. Apparently people are running word processors just about as fast as they need to, and so it makes sense to hang onto older, "obsolete" motherboards and "outdated" OSes. This of course threatens the chip makers, since their business model depends on unconstrained growth in demand.
• If Microsoft releases Windows Palladium as advertised, then businesses will feel motivated, if not outright compelled, to buy it, since security is a growing concern. But to run Palladium, you need hardware-level encryption and signing. That means to "upgrade" to Windows Palladium, you need to buy an entire new CPU. At least one more rush of hardware purchases awaits!
• Consider these quotes:
  • Giants chip in for Palladium
    "...INDUSTRY chip giants Intel and Advanced Micro Devices have confirmed they will support Microsoft's plan to improve PC hardware and software security..."
  • Palladium: Safe or Security Flaw?
    "...Microsoft's recently announced R&D project, which includes chipmakers Intel and AMD as partners, aims to combine software and hardware extensions to traditional PC architecture..."

So I guess the reason that I think "hardware vendors are SO STUPID as to cripple them all in the processor" is that they've already agreed to do just that.

Re:Yeah right

[sulli]

I just don't buy it. Linux, OpenBSD, FreeBSD, et al. will never support Palladium, right? So I guarantee that these free OSes will find a way to bypass it in software - if they have to handle ethernet firmware functions in the kernel, I bet they will rather than tolerate remote monitoring by The Bad Guys. Apple still uses Motorola and hates DRM, so it won't use Palladium. And we haven't even mentioned Sun, SGI, et al.

If there's an alternative, people will buy it. I will - won't you? Then the market does its thing, and the Wintel empire loses clout because people are moving to the alternatives. Like the other guy said upthread: give them enough rope, they'll hang themselves.

This is just like SDMI. Lots of committees, lots of hype, but ultimately it won't mean shit unless users buy it, and I'll bet Euros to Krispy Kremes that they won't.

Re:Yeah right

[Lonath]

So I guarantee that these free OSes will find a way to bypass it in software

You're correct. It can and will be bypassed in software. However, I am not so sure about this:

So I guarantee that these free OSes will find a way to bypass it in software LEGALLY

You see it isn't a question of whether or not it can be bypassed, it's a question of whether or not it can be bypassed legally.

How could it be made illegal? Two examples:

1. Circumventing an encryption device. They allow you to do it on your own comp, but it's illegal to tell others how to do it.
2. Patents. They set it up so you need to use a patented process to run programs using the hardware, and Linux and FS/OSS don't get the licenses.

So, it's not a question of CAN you get around it, it's question of are you permitted to get around it?

I think I'm prepared to make any crippled machines I buy in the future as capable as machines that I have today. It hasn't gotten to that point yet, but I do understand what I'm saying. I hope that I'm willing to carry through with my threat to make my machines as capable as the ones I have today should it ever become necessary.

It seems reasonable doesn't it? After all, so much of science and new types of art are dependent on computers and technology that this country has an obligation to promote the progress of the useful arts and sciences.

If giant companies use copyright and patents to cripple computers, then they're using copyright and patents to hinder the progress of the useful arts and sciences.

Because I think that's wrong, I will fix my crippled property and tell others how to fix their crippled property so that they can use their machines to create software, and art, and do scientific and other fun things. In that way, I will be promoting the progress of the useful arts and sciences.

Re:Yeah right

[sulli]

I doubt that it will be made illegal. But if it is, I agree with you that we have a right - really, an obligation - to fight it. I am EXTREMELY skeptical that chip makers will all abandon non-Palladium chips en masse for commercial reasons; our job now is to make sure that no law is passed forbidding normal (non-crippled) hardware, which is what was proposed in the moronic S.2048 (CBDTPA) and draft SSSCA before it.

A sign of hope is the reaction to S.2048. Tens of thousands of faxes do get attention - Leahy didn't even let it out of committee.

Re:Yeah right

> I doubt that it will be made illegal.

I'm 100% sure that this is *exactly* what MS has in mind. It will be illegal to bypass Paladium in any manner. It will be illegal to run any Palladium non-compliant software on any system that connects to the Net.

It may not happen real soon but I think that's exactly where MS is headed with this. And they'll have the senators to help push through the legislation they'll need in the name of "national security."

I just hope that I'm paranoid, but I don't think so.

Re:Yeah right

not sure where you got the idea that x86 is the only cpu-arch available...

if intel & microsoft want to degrade it so hollings-x86-multimedia-and-gaming-platform, I wish them good luck... ... and go with sane architectures

have fun playing games :)

Best of both worlds..

[Oztun]

Ok this might be completley ludicrious but here it goes.

I would like to see Microsoft and Intel team up and go one way, while AMD and everyone else go the other.

Then Microsoft can lock down everyones PC like apple and do whatever they want to. The rest of us will then be able to enjoy our open systems.

Crazy idea? You decide.

Re:Best of both worlds..

[Reziac]

It's crazy to me, because I prefer Intel CPUs and chipsets regardless of the OS (for lots of reasons I'm not going to argue about here :)

Also, what about people who don't live where they have much choice (think third world) about what hardware they can acquire??

One thing I think will eventually happen tho, if Palladium comes to pass, is that the internet will fragment into Palladium-compliant and non-Palladium trunks. If you aren't running Palladium-compliant hardware and OS, you may have no choice but to use whatever ISP lets you connect that way, and may be very restricted as to what servers you can contact.

Re:Best of both worlds..

[JFMulder]

The problem is, AMD and Intel have already decided to jump on the DRM wagon and are both working on including DRM technology inside their chips. So the only other company who will be able to give us computers that are DRM free will be Apple (maybe, I don't know if they're going to go that way), and Via (with Cyrix) and Transmetta. And they don't have a lot of market share. Apple may gain some, but virtually no one will want a Cyrix or Transmetta processor.

Why you'll never get another message like this

[Lumpish+Scholar]

We're also working with others throughout the industry to improve Internet protocols to stop email that could propagate misleading information ...

... like this message you've just sent, Bill?-)

RARGH!

[The_Shadows]

I'm done. I've had it. I've used Windows for years, and managed to do what I need w/o massive invasions of privacy. Straw to camel's back: You are broken. This box (Win2K) is going to serve me for as long as I need it. My second machine is getting Gentoo installed right now. I'll have some of my Linux pals help me get it set up and set up right. And help me figure out what I'm actually doing (in part). I've done enough to get around Linux, but I want to know more.

Hopefully, within a year (minding, I like my gaming!) I'll be able to toss Windows and break myself of the habit completely before Palladium comes out and destroys home computing.

Re:RARGH!

[Reziac]

I've had similar thoughts. WinXP (albeit suitably chained and neutered :) is very likely the last Windows version I will ever use -- because the OS itself is becoming less and less trustworthy in terms of what control it demands over MY data. Fortunately, my old Win95 box still meets 90% of my computing needs. (But I'm not a gamer, either :)

The real problem is what I'm going to do with clients who will need *future* Windows apps, and who will need a new computer in the Palladium era. Not everyone can be willy-nilly switched to linux.

And I'm glad I'm already hoarding "old" hardware!!

Palladium's intended market.

[index72]

DRM with Palladium will only concern you if you buy one. I see this as a method primarily for corporate or government users that need this type of security. Its a big OPT-IN device where to opt-in you have to buy the Palladium equipment. As far as allowing MS and Intel to require this on all computers, well we aren't going to let that happen.

Re:Palladium's intended market.

Did you download the latest Windows Media Player security fix? Did you read it's EULA? If you agreed to that EULA, you agreed to allow MS to place any security software they want on your CURRENT computer. Why wouldn't they force a software only version of at least some "Palladium style" control on your current computer? Read all your MS EULAs. You may have already opted-in!

Re:Palladium's intended market.

>Did you download the latest Windows Media Player
>security fix?

Well, no, but,

>Did you read it's EULA?

Well, yes, but,

>If you agreed to that EULA,

Well, I didn't, but,

>you agreed to allow MS to place any security software they want on your CURRENT computer.

According to one interpretation, yes. But what
I HAVE NOT DONE in this scenario, is given Microsoft the MEANS to install software on my computer. That is still something I control.
This is especially easy to control if you do not connect your computer to a network to which Microsoft has access (and lock the door).

Further protection is an exercise in diligence, nothing more.

I can click on a license that gives Ballmer the right to come in my yard and drown my dog in the pool too. Does that give him the right to do so, or provide the means or incentive?

palladium problems?

[psi-kat]

The thing I don't get with palladium is: what happens to developers? New binaries are created all the time. What, now we have to get them "signed" before we can run them? Ah, well, just more time to read slashdot that way, I suppose... I'm also not getting the logistics of palladium; what if I write a program that does X, but also, as an undocumented feature (so that it can get signed, etc.): it can execute other programs. So can I not now use this program to execute whatever the hell I want to? For instance, get wine signed, then run any windows program in linux.

Trustworthy Computing?

Trustworthy Computing has four pillars: reliability, security, privacy and business integrity. "Reliability" means that a computer system is dependable, is available when needed, and performs as expected and at appropriate levels. "Security" means that a system is resilient to attack, and that the confidentiality, integrity and availability of both the system and its data are protected. "Privacy" means that individuals have the ability to control data about themselves and that those using such data faithfully adhere to fair information principles. "Business Integrity" is about companies in our industry being responsible to customers and helping them find appropriate solutions for their business issues, addressing problems with products or services, and being open in interactions with customers.

Hmm, sounds more like what Linux has offered for the past 5 years than anything Microsoft has ever come up with. Their four pillars of trustworthy computing should read more like this:

- Adherance: You, the end user, shall willingly agree to any and all rules and regulations set forth by the Microsoft Corporation.

- Acceptance: You, the end user, will accept Microsoft as the sole deciding factor as to what are "acceptable uses" of your computer.

- Tolerance: You, the end user, will tolerate all flaws, openings, and gateways in all Microsoft products.

- Reluctance: You, the end user, being too stupid to harness the true power of your computer, will submit to Microsoft's vision of the future of computing. This includes limiting the applications you use to Microsoft or Microsoft approved products, Microsoft or Microsoft approved hardware, Microsoft or Microsoft "Digitally Signed" drivers, and Microsoft operating systems.

By agreeing to the above, you give Microsoft the right to decide where you will go today. Revisions to the above may or may not be made, and you may or may not be informed of the changes. Regardless, and changes made you will adhere to by virtue of your affirmation that you agree to the above.

Welcome to the sad, scary future of computing.

Open?

[krmt]

I think one of the interesting things about the rise of Microsoft and the IBM clone PC in general is that it proved that an open, extensible system is going to win out. It doesn't matter how good your closed system is, it just won't win out (witness: Mac vs DOS).

And here we are, it's 2002, and Microsoft, the company that most benefited from having the PC architecture open, is now seeking to close it. For "security". As more restrictions are added, fewer interesting things will happen on the system, and people will start to look elsewhere to get what they want and need.

It's sad that Microsoft has forgotten what got them where they are in the first place. Look for Apple to do even better once Palladium hits.

Re:Open?

[wafflemonger]

Several bus architectures were designed to take the place of the MCA and (original)ISA bus because IBM tried to close the platform. This took a while to stabalize and give us something better than MCA. Wasn't it VIA that threatened to clone the P4 just so that it could sell its mobo chipsets? This would take a while but would give is the platform that we want.

Bill Gates(tm)

[smoondog]

I am confident we can and will create a truly Trustworthy Computing environment.

Anyone else notice Bills interesting capitalization at the end of the letter? Perhaps we can expect another generic trademark soon?

So, I guess it has finally happened. People don't use the word trustworthy to describe M$, so M$ just created a way for trustworthy to be used with all M$ activities! I guess that is more profitable than actually becoming trustworthy.

-Sean

Re:Bill Gates(tm)

[qubit64]

I don't know why but I read your post, looked at the capitalized words (TC) and the first thing that popped into my head was "total control"

Re:Bill Gates(tm)

[johnjtrammell]

Very interesting -- see what happens when you go to trustworthycomputing.com.

Somebody beat me to it! :-)

Re:Bill Gates(tm)

[myklgrant]

Also the co-opting of the term P2P. He refers to the Platform for Privacy Preferences as P3P. Very canny.

Re:Bill Gates(tm)

[Reziac]

When I read the article, I found myself thinking "Bill Gates missed a great career as a politician!"

Oh, wait...

The Solution...

[EdMcMan]

We're also working with others throughout the industry to improve Internet protocols to stop email that could propagate misleading information or malicious code that falsely appears to be from trusted senders.

Microsoft has found the way to be vulnerability free. Instead of fixing their bad code, they will just break IP so much that you can't even send any exploited code! Great idea, Microsoft. (Morons)

Think of the Developers

[bartman]

If one may not recompile source code and execute it without MS signing it, how will development continue unless you sign your binary at MS headquarters?

To have this work all development would have to be done using MS Visual Studio and every binary would have to be sent to MS.com, be signed, and sent back to the client who then executes it.

Note that signing cannot be done on the compiling machine, otherwise OSS, or even the virus we all fear, will be able to do the same. ... just some thoughts.

Re:Think of the Developers

[Charlotte]

Anyone would be able to sign programs they write themselves, that is not the issue.

The issue is that in "trusted" mode, programs which have been signed by someone else can write data to your system which you can not decrypt without that programs permission. The program could ask a server on the internet for permission to decrypt data. Think of the possible abuses!

This is the real Palladium threat - suddenly with the DMCA in place it's a fellony to try and read your encrypted data stored on your harddisk. Anytime you want to access sealed data legitimately, the software can take any decision it wants on allowing you do do that or not. It can contact Paramount's server and check if you've already seen that Star Trek movie more than twice. You have? Time to cough up more money.

The problem is not that Microsoft will be able to control its own signing authority but that other entities will use it, requiring the use of Microsoft's latest Windows OS along the way. Want to file your taxes? You'll need IRS(tm) for Windows. Want to watch Star Trek 14? Need to download Movie@Home for Windows from Paramount.

Circumvent the Microsoft Tax and you go to prison for life. Nice.

Possible fix to Data Overflow bug?

[dh003i]

I'm not an expert security programmer, but I think I have an ideo on how to handle the data overflow bug in Apache and other systems.

Limit the amount of data that can be inputted from any particular source, depending on how fast the system can handle the requests. Has your system ever slowed down so much that you type something and it appears...five seconds later? Same idea. Why should the system allow gigabytes of data to be inputted when the given system can only handle -- say -- 100 MB at a time? It shouldn't. This is exactly what causes the problem -- the system gets information/data at a rate faster than it can handle it. So basically, my idea amounts to this: don't bite off more than you can chew.

A similar concept might work well to protect against password-cracker programs. Why allow user/password entries as fast as the sytem can handle it? Why not set a limit so that the program only accepts one attempt every 10 seconds, and then after 3 such times closes?

Another suggestion, on Palladium and like technologies/ideas. Basically, the criticism is that it will kill OSS / FS, either because they won't get the seal of approval from MS or because even if they do, or that will be impossible (how do you give such to source code), or that even if its given it will be broken if the user excercises his OSS / FS rights and changes the code. The solution to this problem is for whoever to create a digital approval system such that the user decides which things he approves of. For every chip sold, they will have the "universal" approval stamp on them, and one which is specific to that user: namely, that means that every piece of hardware made would have one common approval stamp (which would be delegated out by some organization) and one private unique one, which the user would control and give the "stamp" to the programs of his choice. Comments?

Re:Possible fix to Data Overflow bug?

[jafac]

A similar concept might work well to protect against password-cracker programs. Why allow user/password entries as fast as the sytem can handle it? Why not set a limit so that the program only accepts one attempt every 10 seconds, and then after 3 such times closes?

IIRC, Solaris has such a feature - you can configure the delay between password entry attempts - and pretty much EVERY OS I know of has a "lockout after x number of failed attempts" feature - going back to Banyan - probably further.

Re:Possible fix to Data Overflow bug?

[dh003i]

So the question is, why doesn't Linux & Apache have such features for passwords, and for data-input? Also, why not have a feature which only allows passwords to be entered as input from the keyboard, and not some program?

Re:Possible fix to Data Overflow bug?

[J'raxis]

Limit the amount of data that can be inputted from any particular source, depending on how fast the system can handle the requests. Has your system ever slowed down so much that you type something and it appears...five seconds later? Same idea. Why should the system allow gigabytes of data to be inputted when the given system can only handle -- say -- 100 MB at a time?

This has absolutely nothing to do with overflow. You can cause a buffer overflow with 2 bytes of data, if the space the programmer allocated was only one byte long. Thus, the extraneous data spills over into memory where it should not, possibly overwriting executable segments. If the data happens to be valid machine instructions... you just inserted arbitrary code into the program.

The only reason buffer overflows typically involve large gobs of data is that most programmers allocate their buffers to some standard size like 1024 (this is usually a value known as BUFSIZ in C standard I/O), so it takes 1025 or more bytes to cause an overflow.

What you're describing is another type of problem, that of a denial of service attack by saturating a program with too much data at once. The program can fit the data in its buffers fine (a typical program probably loops, putting 1024 bytes in the buffer, processing it, flushing the buffer, than taking another 1024), it just takes an astronomical amount of time to do it.

Re:Possible fix to Data Overflow bug?

[J'raxis]

Passwords submitted to Apache, um, aren't coming in from the user's keyboard, they're coming in in an HTTP header. The browser takes keyboard input, fashions an HTTP request with the user-input password in it, then sends that to the server in the form of TCP/IP packets. The server can't tell if the browser got that password from the keyboard.

The same would go for the OS, if the user is logging in remotely. The only situation under which keyboard input could be checked would be if the user is logging in directly on the console (a program can call isatty(...) to see if standard-input is connected to a terminal or not, but this wouldn't be that reliable).

Re:Possible fix to Data Overflow bug?

[J'raxis]

Of course if someone snarfs the /etc/passwd file, they can just brute-force the passwords on their own machine with a 5-line Perl script employing crypt(...).

A bona-fide technical question

[astrashe]

Does anyone remember the fight over the clipper phones? The clipper system used mandatory private key escrows. The idea was that if you bought a clipper phone, the secret key would exist in a government db somewhere. If they wanted to wiretap you, they'd just have to look your key up and decrypt the signal.

It wasn't a rejection of the clipper ideology that sank the proposal. It was a proof that it would be possible to build counterfeit clipper phones that would interact with the system. The NSA screwed up, they built a system that wasn't strong enough.

It seems to me that palladium would face a similar challenge. How do they differentiate between a rogue board that pretends to be palladium compliant and a real one? Especially in a world with flashable BIOS?

What's to stop people from buying boards that will be palladium switchable? If you want to run Windows, you can set the BIOS one way, if you want to run Linux, you can set the BIOS to disregard it?

Or what's to stop people from making boards that accept any signature without checking it? MSs software would think it was on a palladium compliant system, but you could run whatever you wanted.

Re:A bona-fide technical question

[lunenburg]

It seems to me that palladium would face a similar challenge. How do they differentiate between a rogue board that pretends to be palladium compliant and a real one? Especially in a world with flashable BIOS?

What's to stop people from buying boards that will be palladium switchable? If you want to run Windows, you can set the BIOS one way, if you want to run Linux, you can set the BIOS to disregard it?

Technologically, there's no way to enforce it (and they know this). It would all depend on how many people Big Hollywood wanted to see arrested as to how many people would try to get around their DRM stuff. Throw enough people in jail for "hacking" and "pirating", and everyone else will be too scared to try to fight.

Re:A bona-fide technical question

[elmegil]

I think the failure of the Drug War proves you wrong. While only a bare minority are actually fighting against the war on (some) drugs, there is widespread disgregard for the letter of the law.

Re:A bona-fide technical question

[lunenburg]

There's always hope, I guess. :-) The best solution is, of course, to stop the law before it starts. After that, we can just hope that most people ignore it.

Re:A bona-fide technical question

[MrResistor]

At that point it will become a Civil Rights issue. Someone will fight it, and they will have the support of the EFF and probably the ACLU to take it all the way to the Supreme Court. IANAL, but I don't see how a DRM law would be able to stand up against the Constitution.

*sigh* Never Learning, Always Repeating

[EXTomar]

Palladium is yet another example of Microsoft's flawed software strategy. MS constantly thinks: If there is something wrong, make new products to fix it. Doesn't anyone else think that this is flawed??? Oh yeah...you can't sell stuff like that as much as new "I have better features than my previous version" software.

Palladium is a bandage over the broken user/networking model and the interfaces to them. Instead of stepping back and considering the reasons why most users and processes MUST run as Administrator(locally and network wise), Microsoft wants to promise that yet more software that will sort out the issue for you without thinking. Installing software on a Win2K system can be a bear if permissions have to be setup a certain way. How hard is it going to be to install software on a Palladium system?? Don't think the new Word for Palladium. Think about the legacy software you are still required to use. That should send shivers down any IT Staff's collective spines.

And, at the worst, Palladium fails to fix a giant class of problems. IIS will no doubt in MS's mind be a trusted program to run. However monkeying with "default.ida" isn't something it should be doing. Palladium can protected from "mystery.exe" which is unsigned from running but seems to make no provision for trusted binaries suddenly behaving badly. Default settings, denial of serivce, etc. have nothing to do with signed code.

Beyond this a computer is supposed to get out of the way and let you do your tasks. A "well oiled" Linux machine can do this for tasks. Mac users rave about how its OS goes way into the background when a task is executed. MS through Palladium seeks to get more in the way to protect us from ourselves. Why does Joe Sixpack want a computer that is even more "in your face" than it is now?

As for the future of Linux with Palladium looming on the horizon. I'm not worried. In fact I forsee a great boon in virtual execution environments on Linux and BSD where you can choose to ignore Palladium rules if you the user choose to do so.

Simple Economics

I find it amazing that *nix users are getting so caught up in this. I would think they would be smart enough to know that MS can't control the whole computer industry. If users don't like it users won't buy it. If there is a market for components that don't follow palladium specs then someone will fill that market. It's basic economics.

Right now all I hear are some *nix users supporting their arguments with opinion and passing it off as fact.

I am about as sick of the Linux propaganda machine as I am of MS.

Re:Simple Economics

That is because people expect that Palladium (aka TCPA) will be signed into law by the american government. As soon as computers without Palladium become illegal in the US, chances are none will be produced without it.

Re:Simple Economics

[Cid+Highwind]

I find it amazing that *nix users are getting so caught up in this.

What can I say, we don't like the idea of losing the PC platform, our main source of cheap hardware

I would think they would be smart enough to know that MS can't control the whole computer industry.

But they can, and do. Microsoft has manipulated the price of windows licenses to build itself into a position to demand just about anything from OEMs. Read the Findings of Fact from the MS antitrust case.

If users don't like it users won't buy it. If there is a market for components that don't follow palladium specs then someone will fill that market. It's basic economics.


Not if Palladium-disabled hardware (aka DMCA circumvention devices) are illegal!

Lasser's Comments

[EdMcMan]

I'm afraid I disagree with Lasser. First of all, Microsoft has not yet said what type of code will be 'signed'. One can assume it would be applications. Let's say I do a buffer overflow on IIS, and use shell code. The shell code is not a new program, and runs 'inside' the other program. These are instructions, not a program, and really can't be signed or protected against.

Microsoft is truly foolish if they expect to have people switch to Palladium. The majority of their customers were pissed with XP, just having to call Microsoft if they updated their hardware. Now, they expect people to buy new hardware so they can be told what they can't run? Personally, I think Palladium might end up being a new NT, but I seriously doubt it will ever be like Microsoft claims it will.

what the fuck u talking bout?

[Ender+Ryan]

To be extremely blunt, what the fuck are you talking about, you absolute moron? Last time I checked, I don't think ANYONE wanted MS to come up with something like Palladium!

Blame

[pjrc]

According to Gates:

it is the growth of the Internet and the advent of massive computing systems built from loose affiliations of services, machines, communications networks and application software that have helped create the potential for increased vulnerabilities.

Shoddy code running unnecessarily with full admin privs probably had nothing to do with it!

Microsoft is clearly untrustworthy.

[func]

What's the point? MS is talking about how they're doing all this stuff to guarantee your privacy, but in the same breath they've just violated your privacy by sending you spam.

Of what value is a trustworthy system controlled by a company who is clearly untrustworthy? Not much.

Of course

[The_Shadows]

The way MS acts, I have to think that they're more like Lawful Evil than Lawful Good. That means they can't make a Paladin. Or a Ranger, for that matter.

Re:Of course

Or a bard.

Re:Of course

No, how could you call them lawful with all this Anti-trust going on. They are neutral evil. And they can make a bard, but not a monk.

A question

[cascino]

I've always wondered what will happen to companies that write commercial compilers and/or tutorials for writing programming code (whether it be C++, C, Basic, whatever) if Palladium becomes the standard.
Will the computer enthusiast be able to write (and thus learn) new programming languages? I find it hard to believe that a compiler could digitally sign all code, and thus it would be impossible for the average Joe to write a "Hello World."
I remember writing my first program (a blackjack game, I believe) in 4th grade in Visual Basic. Isn't that how most (if not all) computer professionals got in the business? Will self-discovery and self-learning be possible anymore?

Re:A question

Always? You must be about 2 months old!

Re:A question

[cyberformer]

They'll use a sandbox, kind of like Java. This means people who want (and who are willing to pay for the development tools --- notice how Basic is no longer included with Windows) will be able to experiment with simple programs, but not do anything too useful (or "dangerous").

Re:A question

[AtariEric]

Nope. If you want to program anymore, you're probably gonna have to do it the Microsoft Way(tm). Lesson 1: Pay Microsoft $400. Lesson 2: Listen to/read Microsoft Jibe that makes Nazi propoganda look halfway reasonable. This post is not intended to endorse either Nazism or Microsoftism

Re:A question

Funny, I didn't get jack, and MSN is my provider.

Astroturf Campaign?

[thales]

Is it just me, or are there a lot of posts lately that pop up early in a MS story claiming that we shouldn't say bad things about MS, posts that immeditally get modded up to 5 points?

Re:Astroturf Campaign?

I hope so!

Maybe MS will send me a check... I could use the extra cash.

-FK (ran out of reg posts per day)

OMM~!

[joe_bruin]

chet lives!
i miss omm. i would have loved to see your take on warcraft 3.

while i'm at it, thanks for being one of the good webmasters out there and caring about the users' privacy, popup ads and limiting tracking and invasions of privacy.

keep on rocking.

Hack your TiVo Now!

[dickDragon]

Get into non Intel hardware now before
it's too late.

the patent...

[MenTaLguY]

Microsoft has a patent on the process of loading an OS on such hardware.

If the hardware hits the market, Microsoft determines who can legally write an OS to run on it, via their control of the patent.

I think they will

[jbolden]

The attitude towards accounting fraud is not friendly. The Senate is ticked and the President does not want to look bad on this issue. DAs and judges are similarly going to be out for blood. To prove to Americans that the problem isn't structural but rather with specific individuals the system is going to need scape goats, that is individuals are going to go to jail.

Re:I think they will

Justice is for sale. Apply the "mugging" example: If say Bill Gates mugs you, he'll walk away free, maybe a few million dollars poorer, but that's pocket change to him anyway. If you mug Bill Gates, you end up in prison for many years (maybe even electrocuted by an electric chair running embedded windows xp).

The rich (famous? respected?) can nearly get away with murder (unless they forget to pay their taxes, then IRS gets them).

Here's an example from life: A friend of mine is a doctor, who loves to speed in his sports car. He regularly gets pulled over, but has yet to be given a speeding ticket. Why? Because of a magic line: "I'm a doctor, the hospital just called, one of my patients has a serious emergency." (or something of this nature). The police always tell him to drive carefully, and don't give him a ticket. Nobody ever checks to see if he's really going to a hospital, or is just on a joy ride. (in fact, nobody ever checks whether he's a real doctor, besides for a "Dr." next to his name on the driver's license).

Re:I think they will

[MrResistor]

Bullshit.

If this weren't so public the President, Senate, and Justice Department would all be real busy ignoring the issue right now, just as they have been for years. If they cared they would have done something already. If they were really ticked they would be proposing measures that had some actual teeth to them. As it is, they're just trying to look like they are doing something because they know that if they don't they will be crucified in coming elections.

Re:I think they will

[jbolden]

Under the new Senate rules any executive can be asked if everything contained in the financial statement is true to the best of their knowledge. Failure to answer within 30 days is subject to up to 5 years imprisonment.

I'm not sure what your definition of teeth is, but that certainly qualifies under mine.

Re:I think they will

[cheezedawg]

Why does everybody think we need new legislation to solve our accounting problems. We don't have a shortage of laws- there are hundreds of tax and accounting laws on the books already. Running out and making new laws doesnt help at all- we need to enforce our existing ones.

This is like saying "There have been several girls abducted lately. We need to hurry up and pass some new laws with some actual teeth to them so people will stop killing little girls." Thats crap!

Re:I think they will

[fishbowl]

Who gets to ask? Does there need to be an indictment first? What if he says "yes, everthing is true TTBOMK?" Unless he's under
oath, it's the same lies.

Re:I think they will

[jbolden]

Submitting false statements to the SEC is currently a pretty serious crime. Its in the same ballpark as lying under oath in court. And there is no requirement for indictment; under indictment the person could more easily plead the 5th.

Re:I think they will

[MrResistor]

Obviously, those tax and accounting laws are ineffective, and a large reason for that is that the corporate executives that make these decisions are largely immune to prosecution (that's a large part of the reason for incorporation in the first place).

It is a change of that body of law that I am argueing needs to be changed in order to bring some semlance of personal responsibility back to the corporate world. Laws get changed by passing new laws which modify the old ones.

If kidnappingand killing little girls was commonly "punished" by having to show up at a hearing and answer some questions, maybe followed by a "don't do that again" and a barely noticable fine, I would be calling for new laws in that area as well.

Re:I think they will

[MrResistor]

"To the best of my knowledge" is a pretty big loophole, and exploiting it is a time-honored tradition in positions of power.

How do you prove that they knew? That can be pretty hard. I say, make them responsible even if they didn't know. After all, they are running the company. It's their job to know. You can bet that if that were the case, the top level executives would find out and do something about the situation before it even got to the poit of needing a hearing.

Re:I think they will

[jbolden]

Lets say a CFO tells VPs not to charge off software expenses till the next quarter, or to bury reoccuring staffing costs inside of a capital project budget. The VP would have to mention these things. That then gives the SEC room to interview other VPs and then the dominos fall.

Mistake only from our perspective...

[jjn1056]

I just attended a private focus group on this subject. All the attendees were Director level IT folk who are constantly hassled by security problems. Some of them came from a management background and some from a technical background. Almost all of them thought this would be a good idea. In fact they thought it was such a good idea that they would be willing to pay $25 to $400 more per server or desktop just for the chance to have this technology.

I think this shows just how far along this idea has gone. None of these people in the room cared a wit about privacy, open source, the ability to compile your own apps, etc. because the vast majority of people don't do even know what they could be missing. All they care about is a golden pill to solve all there security problems.

So we shouldn't all be thinking that somehow this idea will be MS shooting themselves in the foot. That won't happen unless we get the word out.

Re:Mistake only from our perspective...

[sbuckhopper]

You said, "I think this shows just how far along this idea has gone. None of these people in the room cared a wit about privacy, open source, the ability to compile your own apps, etc. because the vast majority of people don't do even know what they could be missing. All they care about is a golden pill to solve all there security problems."

Let me start out by saying that I agree with this statement. My basis is the fact that I actively do security administration and teach security classes so I've seen my share of people that are involved in corporate/IT security.

The sad part about this is we got into a situation by people looking for the "golden pill" that will solve all of their problems. I guess its not so much a golden pill to solve security problems, but more that people just don't want to care about it. They think if they sit in the closet with their eyes closed no one will be able to see them. We've recently been finding out (over the past couple of years) that all of those people were drastically wrong. Now that we've realized that the suites realized this, they've now decided to do something about that magic subject of "security". However instead of hiring someone who knows what they're doing, they find people who look at Microsoft saying things like "I know we messed up, but we've spent 100M USD to fix it, please trust us -- with no actual proof (can't read the code can you? not like they'd know what they were reading)". Then these suites eat it up like cops with doughnuts and two years later we'll be back into the exact same situation.

The only golden pill for security is knowledge. I tell all of my students that, and I wish that the word would be passed along. I'm not saying that MS is shooting themself in the foot doing this because no one can read the future, we can only speculate. However I think that companies that blindly follow this scheme will be shooting themselves in the foot.

Re:Mistake only from our perspective...

Because these people are idiots, and buy the MS bullshit. How many viruses and worms have run only inside of some MS binary? It's a fairly easy hack to make an OS run only signed binaries, but it's an unsolved problem to make them run safely (well, non-trivial ones anyway).

Right.

[sulli]

Yet another reason non-MS vendors won't buy it. Bye-bye Palladium!

servers, business, hobbiests?

[Ender+Ryan]

Ok, so what about servers? Will their server OSes only run signed code? I'm sure a lot of people won't be too happy if that's the case!

What about internal business software? Will all businesses have to get their own internal software signed by Microsoft for use on their own machines?

What about hobbiest programmers? I don't know about you, but I got into programming at home messing around with compilers and such... Ummm... Are they trying to extend their monopoly to... programming in general?

I think it's possible that Palladium could end up being either the demise of general computing, or the demise of Microsoft's monopoly, as other competitors such as Apple, Linux, *BSD, etc, step up and offer people their COMPUTERS back to them.

I'm not going to worry. If it comes to it, I'll run Linux on PPC hardware or something. If that gets DRM infected as well, I'm sure there will be other choices, possibly from the other side of the pond. And if it's worse, I'm quitting this industry and going into construction or something. Or maybe politics, it'll get easier and easier to run on a platform of offering people their freedom back!

No home movies for Grandma?

[Tablizer]

(* It is plain that this has nothing to do with Joe Sixpack's security but only with content protection Hollywood and total control by Microsoft. *)

I never figured out how home movies would be allowed through. If people find out that they cannot send home movies to Grandma, things are gonna fly.

Another thing, if the security is based on firmware, it is quite possible to have a bug or two that some hacker can exploit, allowing anything to be "signed". Would we have to upgrade chips to see new content because old ones have been compromized?

Palladium is more marketing smoke.

With growing numbers of large businesses starting to use Linux (and other open source software), no hardware manufacturer with a lick of sense is going to make a Palladium-enabled motherboard without making it possible to disable it in the BIOS settings.

Palladium may become an option, but as long as there is a market for non-Palladium hardware, don't you think someone will supply the demand?

Winmodems may be a plague, but they haven't completely driven out hardware-based modems.

This is more FUD. Palladium is bullshit.

Palladium will be a Good Thing(tm) for Linux

I assume everyone has read The Palladium Summary, right? A few notes taken from that page:

• Microsoft does not have the desire or means to control any information which is input into a computer via a means beyond the scope of DRM or Palladium (in unencrypted formats such as MP3), and intends to continue supporting such formats.
• Microsoft employees have a broad variety of opinions on legal and technical issues related to copyright enforcement. The company's position is that the use of DRM should be purely voluntary (in the sense in which the industry uses that term; they do not have a public position that the DMCA's anticircumvention provisions need to be modified).
• Microsoft assumed as a design criterion for Palladium that existing versions of Windows should be able to run on a Palladium PC, as should existing Windows applications, as should existing non-Windows operating systems like Linux. There is no attempt to stop people from booting whatever code they currently use or may write in the future. In addition, the hardware trust features can potentially be used by specially-adapted software, regardless of what operating system is running. It is possible to imagine that a Palladium-hardware-aware version of Linux could be created and could make full use of Palladium's hardware features in order to achieve trust comparable to the Windows implementation. Microsoft is only writing an implementation for Windows, but plans to publish all the technical details.
• Microsoft's nub, including its source code, will be published for review by anyone who wants to examine it, in order to allow all of Microsoft's claims about its security properties to be verified. There is no part of Palladium's design or code which needs to be kept secret, although each SCP will contain secret cryptographic keys loaded at the time of its manufacture. Microsoft will encourage non-Microsoft people to read and discuss its nub. You will also be able to create your own nub, except that changing the nub will (as discussed above) prevent previously-sealed data from being decrypted.

What's the problem here?

Linux will do it's own extend-and-embrace, and we'll beat them at their own game.

Palladium also will need to be supported by Intel, AMD, . I doubt all of these companies will lock themselves into a Microsoft-specific hardware platform.

Stop the FUD from the LINUX community!

Joshua Thomas as the AC

Irony

[bareman]

The promise of "trustworthy computing" from the Anti-Trust him/itself!

Ah the things that we do with language since "IS" was redefined for us. Bush seems to have caught on too!

I wonder why...

[Edward+Teach]

Gates et. al. would be pushing this so hard. Isn't it kind of like them saying, "We can't fix our own problems so we are going to have hardware manufacurers try to fix them for us."?

The market is fine....when the market is fair.

[tacokill]

I agree with everything this poster said if it weren't for one key word in this discussion: Monopoly.

The very definition of a monopoly implies that the free markets do NOT work in this case. Hence the judges ruling.

not very trustworthy

[rmassa]

Six months ago, I sent a call-to-action to Microsoft's 50,000 employees, outlining what I believe is the highest priority for the company and for our industry over the next decade: building a Trustworthy Computing environment for customers that is as reliable as the electricity that powers our homes and businesses today.

Those utility companies are sure reliable and responsible...

Hey microsoft... I've got some enron stock to sell you...

Well duh.

Palladium (n) (Roots: Paladin, Stadium) The effect of a large stadium falling from the sky upon the party's Paladin. See also: Wish Spell, Twink, Monty Haul, Wishing for Castles, Twisted DM.

"Woohoo! I want me a stadium!"

"Okay. A stadium materializes three hundred thousand feet above your head, and falls. Roll a dexterity check with a -19 penalty, please."

Re:*sigh* Never Learning, Always Repeating

[hyperturbopete]

Flawed Microsoft Strategy?

Not so- palladium might just be a ruse to persuade corporate types to order massive upgrades. With Win2K, workstation/server OS's have finally gotten quite decently stable, usable, and friendly to configure, backup etc. Since there isnt that much reason to upgrade from 2K to XP, MS needs a 'killer feature' to promote adoption of the next generation OS -- this would be palladium. Nice side effect- eliminates competition!

Does anyone realize what Palladium is?

Here's an earthlink user site that explains.

From my perspective, the interesting thing is, in myth, it ultimately failed to protect the Troy... :)

Huh

[tswinzig]

Well that's reassuring! I think the general population of California would like for computers to be a bit more reliable that their electric grid!

I think in general, your computer can only be AS RELIABLE as the electric grid, not MORE RELIABLE.

Or does your computer have a perpetual motion machine inside?

Re:Huh

[BattyMan]

I think in general, your computer can only be AS RELIABLE as the electric grid, not MORE RELIABLE.

Mine have been considerably more reliable than the power grid since I got a UPS (and fixing the bad breaker in the fusebox helped, too), to the point where I'll say: "Fsck that, the availability of the power grid is inadequate. I want, and can do, considerably better. If the level of reliability typical of commercial power distribution systems is satisfactory for the monopolist, there's one more reason I'll stick to FREE software, thank you very much".

That is a very poor choice of analogy, especially in the PG&E service area.

Palladium and buffer overflows

[anakog]

Does anyone know how Palladium is exactly supposed to stop buffer overflow attacks?

I mean what is to prevent a buffer overflow vulnerability in the TCP/IP stack implementation from being used? Say it receives the wrong data, the stack overflows and your code is now executing with kernel privileges. From the OS's perspective, no new application has been run, therefore, no check for signatures will ever be attempted.

Granted, the nub may prevent you from reading encrypted data, but you will have access to everything that is not encrypted. And you are in a very good position to use the kernel privileges to attempt attacks on the nub.

Also, presumambly, the TCP/IP stack will be part of the kernel which itself is signed and authenticated by the nub at boot time...

Reliability...

[Shirloki]

Six months ago, I sent a call-to-action to Microsoft's 50,000 employees, outlining what I believe is the highest priority for the company and for our industry over the next decade: building a Trustworthy Computing environment for customers that is as reliable as the electricity that powers our homes and businesses today.

I live in California, need I say more? Not to mention the price of electricity here...

Why not have signed binaries in Linux?

[vadim_t]

Could be a pretty good for security on servers. Here's my idea of how it could work:

You have the server running as normal, with some crypto code in the kernel to verify signatures.
When a binary is loaded the kernel checks if the file has been changed from the last time it checked it.
If it has, the kernel looks for the signature for the binary on a readonly floppy. If it doesn't match, it doesn't run it.
There should be no big slowdown because the kernel could cache floppy accesses.

If you want to update the server go to another computer, do all the security checks you need and make a new floppy with signatures. Then change the floppy on the server and replace the binary.

Invalid conclusions.

[juuri]

"I just attended a private focus group on this subject."

Any knowledge gleemed from a private focus group is suspect at best. The questions and people attending are highly targetted to give back results that are somewhat easy to predict. These results are then applied to any "study" to show "evidence".

The issue of TRUST

Trust has more that one meaning. Good and bad.

Just occurred to me...

[the_skywise]

So Palladium is only to make system safer, and isn't intended to control how and what I do with my computer?

Tell me then...will Palladium stop random Ad spamming in my MSN Messenger and ICQ and various web pages? This is an obvious breach of security for unsolicited applications.

No?

The court rests.

As Reliable As Electricity?

[gribbly]

Well if it's M$' goal to build "a Trustworthy Computing environment for customers that is as reliable as the electricity that powers our homes and businesses today", then mission accomplished. In California, at least... =]

grib.

But it's spelled wrong...

[mangu]

It should be "hippocracy", with two p's. Finding a good text with bad spelling is as rare as finding a good brick wall built by someone who doesn't know how to handle bricks.

Re:But it's spelled wrong...

Since you mention it, your spelling is also incorrect (very ironic, isn't it?) The word that everyone is trying to spell is hypocrisy. Look it up on Dictionary.com if you don't believe me.

Oh, really?

[RatBastard]

What happens when your motherboard dies, and the only replacement you can find needs Palladium because Intel/AMD decided to play close and snuggky with Microsoft? Or that new soundcard/NIC/RAID controller, etc... you need that also will only run with a Palladium based OS? Then what? Are you still in an "opt in" situation, or are you totally screwed?

explorer.exe is "trusted"?

[BattyMan]

Uh, not by me. I _deleted_ it, bastard illegal monopoly tool that it is.

Of course the Lose98 system now whines about missing it at every mouse click. TFB. I very seldom boot the WinBloze side anyway. It's useless, it doesn't even have a decent telnet client, much less an X server. You can't get it near the Internet without it becoming 0wn3d by script kiddes or spyware, or both. WTF is WinBloze supposed to _do_, anyway? About all it's good for is to backup the WinCE PDA, which of course can't talk to anything else. I shoulda bought a Palm Pilot.

Oh, it also is the only thing that the xirlink camera can talk to, unless some geek out there has hacked that protocol.

Re:explorer.exe is "trusted"?

[Verizon+Guy]

It's useless, it doesn't even have a decent telnet client

Download one.

much less an X server

Maybe cause it's not a fucking Unix box!

can't get it near the Internet without it becoming 0wn3d by script kiddes or spyware, or both

Never happened to me!

You are a waste of space.

Solving the wrong problem

[catfood]

Can anyone explain how having (for example) IIS signed by Microsoft is going to make it any more secure? It's not as though there's some "untrusted" version of IIS going around that the Palladium system will be able to detect and disable, is it?

All signing can do is reassure you that you are indeed running the same binary that Microsoft (or whoever) is offering. It certainly doesn't prove that the binary is competently designed, well tested, or secure against crack attempts.

Palladium is a terrific solution for a nonexistent problem.

Slashdot is BIASed

[geekee]

For a site which claims to present news, slashdot is very biased. The only articles about Palladium I've seen are about how it's going to kill open-source. Now, let's think rationally. Most hardware manufacturers do not like MS. Therefore it is unlikely they'll elect MS to be the person to keep the list of programs that are considered safe to run on your computer. Even if they did, there'll probably be an option in the BIOS to turn off Palladium if you don't want it. Then you can freely run linux just like before. On the other hand, if linux chooses to use palladium, then it will be much less vulnerable to being hacked.

The plural of virus is viruses...

[emarkp]

not virii, see http://www.perl.com/language/misc/virus.html.

Re:Boycott censordot! New updated information!

People might listen to you if you didn't sound like you were spreading dishonest propoganda. (Oh yah, that and most people are too informed to believe you.)

Windows ME

[SparafucileMan]

My computer would be alot more trustworthy if it didn't crash every hour and stall as frequently from massive memory leaks. I swear every time I visit the family and end up using WindowsME, I want to put my fist through the thing.

"If you are a terrorist ...

[fferreres]

... then go ahead and use that non-DRM, non-Palladium piece of Open Source code. But you will be prosecuted to the full extent of the (MS dictated) law"

Sothing like it would do just fine, and it's what I'd like the FSF and whoever to prevent from happening. If they force us to secure our systems in the way they like, we'll lose our freedom as well as our privacy to who knows what. Maybe we may even lose our right to execute whatever program we like.

Trust the computer

[Qrlx]

Okay, this is a little off-topic. But the blurb for this story says "Microsoft's vision of a world where your computer is trusted against you."

Well, sometimes you should trus the computer over humans. Like that plane crash over Germany -- the TCAS-II said pull up, and the ATC said dive. Quite naturally the Russian pilot chose to dive, which was the completely wrong thing to do. TCAS-II had it right.

Of course, TCAS-II was coded to keep planes from colliding. MS software is coded to keep you running on the Microsoft Gerbil Wheel of Corporate Profits.

I just wanted to point out that sometimes, you really can trust the computer. Even more so, I think, when the code is available for peer review, or can be reverse-engineered without commiting a DMCA felony.

I wonder if the code for TCAS-II has comments like:
!seineeW erA stoliP naissuR

Re:*sigh* Never Learning, Always Repeating

[fferreres]

Palladium is yet another example of Microsoft's flawed software strategy.

Well, if they can repeat the flawed software strategy again as they did before, reming me to shoot myself in the head for not buying having bought MS shares today.

What's wrong with the inet protocols?

[Whammy666]

We're also working with others throughout the industry to improve Internet protocols to stop email that could propagate misleading information or malicious code that falsely appears to be from trusted senders.

Improve as in 'embrace and extend'? What's wrong with TCP/IP, SMTP, or POP3? The problem was never with the transport protocols. They work perfectly. The real problem was with microsloth's crappy Outlook Express gleefully surrendering a user's mailing lists and blindly running every virus script that came along, no questions asked. The problem was further compounded by their reluctance to fix it, despite getting pounded by one virus after another over the course of several years. Even with the recent Apache and SSH exploits, I'd still trust a linux system over M$ any day.

You want kittens? You got'em!

[ZorinLynx]

Well, one anyway. Mine. http://www.cs.fiu.edu/~flynnj/kittenpics/

(runs from the flames)

Security from who?

He is right, security is important. Especially from software companies that want to collect information on you, spy on you, and send spam to you.

The Truth

Our software is insecure so here is a solution to keep other people's software from running on your system.

Right, Palladium is gonna fix Outlook bugs (NOT!)

[SysKoll]

Here we are, in 2004. I listened to Microsoft, I made sure my new PC has a Palladium chip integrated on the motherboard. This way, I'm told, my PC will run only cryptographically signed programs, which will prevent these evil virus to execute.

But since I cannot afford to buy a key from MS each time I write a Word macro, I'll have to allow them to run.

And since Outlook cannot be removed from my Windows 2003 PPPP (Palladium-Protected Professional Plus), I use it for all my email. I use macros there, too, because I need Outlook to update my calendar when my boss sends me a meeting invitation.

And Outlook 2003 PPPP and Word 2003 PPPP are Palladium-signed applications. So they're safe, right?

I am sure nobody will ever find any buffer overflow or format string vulnerability in these apps, and that none will ever use them to create another of these worms that propagate using the deadly Word+Outlook combo, and can be activated merely by previewing the message.

This is such a nice improvement over the current situation. So who care if I have to insert my credit card in the MS PPPP Card Reader and pay $1.50 each time I want to read the news on MSNBCNN? That's definitely worth the price.

** N ** O ** T ** ! **

-- SysKoll

A bona-fide technical answer

[for(;;);]

> Does anyone remember the fight over the clipper
> phones?

Yep. Of course, this didn't scratch the itches of many folks, since if the average person thinks to {him|her}self, "I hope no one's listening to this phone conversation," they implicitely mean their government.

What the NSA should have done was convince phone companies to make listening in to phone conversations trivial for the average person. And making each phone "scriptable" in some poorly-designed language would have worked wonders.

> It wasn't a rejection of the clipper ideology
> that sank the proposal. It was a proof that it
> would be possible to build counterfeit clipper
> phones that would interact with the system. The
> NSA screwed up, they built a system that wasn't
> strong enough.

I'll take your word on it; some links would be cool. (I'm not questioning your integrity, it just sounds like interesting recent history.)

> How do they differentiate between a rogue board
> that pretends to be palladium compliant and a
> real one?

They can't.

> Especially in a world with flashable BIOS?

Move away from Intel/AMD, and you don't even need to screw with the BIOS. Just boot the OS of your choice and load the Palladium spoofing layer.

> What's to stop people from buying boards that
> will be palladium switchable?

Nothing.

> If you want to run Windows, you can set the BIOS
> one way, if you want to run Linux, you can set
> the BIOS to disregard it?

Yes. Er, no. AAAHHHH! (Magically catapulted to my death. What was the question?)

> Or what's to stop people from making boards that
> accept any signature without checking it?

(This is the best of your questions.)

JAIL TIME MANDATED BY THE DMCA.

Creating such a board would be viewed by the courts as a copyright circumvention device, since you could use it to watch "Incoming Freshmen" without paying the requisite fees to the distributors and (infintesimally) creators of that knocker-oriented masterpiece.

Fear will keep the star systems in line. Fear of this battle station.

You have to read this paragraph

From the letter:

This is an important part of the evolution of the Internet, because without a Trustworthy Computing ecosystem, the full promise of technology to help people and businesses realize their potential will not be fulfilled. Ironically, it is the growth of the Internet and the advent of massive computing systems built from loose affiliations of services, machines, communications networks and application software that have helped create the potential for increased vulnerabilities.

You have to read it a couple of times, and compare it with reality. "Loose affiliations" are actually open standard, highly decoupled, and typically small interfaces -- the sort of connections that are easiest to test and validate. The greatest actual risk so far has been the "tight affiliation" that is script execution within Microsoft mail clients. Mr. Gates' statement is such FUD that it is appalling. I am developing less and less respect for the man.

Also, Trustworth Computing (tm) has certainly already entered the trademark process -- it is capitalized throughout the article.

Explorer

[Snover]

Y'know, there ARE alternative shells.

Hypocritical...

[tuxedo-steve]

... considering this essay, written by His Billness himself.

Test

[Popocatepetl]

Test