Slashdot Mirror
Schneier Analyzes Palladium
bcrowell writes "This month's CryptoGram from Bruce Schneier has an analysis of what little information people have been able to glean (without signing an NDA) about Microsoft's Palladium initiative." We might as well throw in a direct link to Schneier's look at the MPAA License to Hack bill as well.
There is more info at the EFF here. And donate some money while you're at it. That's more likely to help than a slashdot whine.
"TCPA will undermine the General Public License (GPL), under which many free and open source software products are distributed." "You will still be free to make modifications to the modified code, but you won't be able to get a certificate that gets you into the TCPA system."
A lot of background information can also be found from Ross' page about Economics and Security.
You should ask yourself the question "if a computer can run code in a protected environment, whose code would you be willing to let into the computer?" Once it's there, it is protected - even from you.
By the way, the hardware used may have been expensive, but the hardware PRODUCED to do it was valued by the author at about $50. So a device could be created to spit out the codes easily and cheaply.
I just wanted to interject a quick reality check. Sure, it looks cheap and easy when quickly reading the paper (or just reading comments on slashdot, most written by people who themselves skimmed or did even read it). It looks so simple and easy...
The bare circuit board was made by Advanced Circuits using their $33 each service (that I've used a few times for my own projects). At the time they had a minimum of 2 boards, now it's three. $99 (plus shipping) is still a GREAT price for prototype circuit boards with 6 mil spacing. The norm for the industry is in the $300 neighborhood.
But that $100 only gets you a tiny bare circuit board with a LVDS to TTL buffer chip and 6 mil traces at the same spacing as the traces on the xbox circuit board (nice of them to route the signals on the outer layer instead of an inner layer with the vias burried under the BGA package).
Another component he used as a Xilinx development board, which probably sells for several hundred dollars, and featured a nice Virtex series FPGA chip (expensive). Even if you get the chip as a free sample, you'll need a 4 to 6 layer board (which is way outside of the $33 double sided service), and the ones with flexible choices of I/O signalling only come in BGA packages... which requires very expensive equipment or hiring an board assembly company to solder it. Those chips can only be programmed using proprietary software. Xilinx does provide some limited free software, but the full version sells between $700 to $2500 depending on which chips is supports.
Now I suppose if you're working in your basement, your labor might be free... but consider the difficultly of soldering those 6 mil traces to the matching 6 mil tracks on the xbox PCB. Also consider that he hand-routed the signals inside the FPGA chip for 200 MHz performance... a very difficult and time consuming task, and he manually tweaked the propagation delay of the clock to get his sampling into the center of the stable bit times of the waveforms on the xbox board.
I've spent quite a bit of time designing with FPGAs (eg, the mp3 player on my website), and I can tell you that this hand optimizing the internal layout of the FPGA, custom tweaked for the other delays in his system, is some very serious voodoo magic that takes an incredible amount of time and patience.
Anyway, my point is that the cost is much more than $50... as a student or engineer with access to much of the equipment, you can discount those other costs. Even if the hardware and software were free, the skill required is absolutely astounding. I know it's easy to read a paper like that and lump it into the collective memory of blubs that "appeared on slashdot" without any (or much) appreciation for what an incredible feat it was.
That's why I'm writing this long-winded message... to remind and armchair would-be hardware hackers out there that reading a paper like that prepares one for mastery in hardware hacking about as well as watching the olympic on television prepares one to be a champion figure skater.
So a device could be created to spit out the codes easily and cheaply. It also would not have to be attached for a long period of time, just long enough to retrieve the key. As such you could, theoretically take your xbox to a shop, and be handed the key 2 minutes later. Wouldn't have to solder anything either.
It would be trivial for Microsoft to make all those signals in inner layers of the circuit board in future revisions. Many other more sophisticated counter measures are also possible. Technically unsophisticated laws, like say, the DCMA also serve as a pretty good deterant (at least against a shop doing the work for profit).
But even with the xbox, as it was 1/2 a year ago, the key extraction is a very tough job. The bug in the secret bootloader that allowed the lookup tables for hardware config to bypass the entire process has almost certainly been fixed by now (reportedly, Nvidia recently reported a significant loss on an inventory of xbox specific chips that had to be scrapped... one can only assume they had the original bootloader code and the chips they're making now have a different key and that bug fixed).
So next time you watch figure skating, and they make it look so easy... the same is true with this sort of hardware hacking. Anyone who really does design and play with hardware can tell you that the process described in that paper was absolutely astounding. And while it was relatively cheap, it certainly costs MUCH more than $50.
PJRC: Electronic Projects, 8051 Microcontroller Tools