Schneier Analyzes Palladium

bcrowell writes "This month's CryptoGram from Bruce Schneier has an analysis of what little information people have been able to glean (without signing an NDA) about Microsoft's Palladium initiative." We might as well throw in a direct link to Schneier's look at the MPAA License to Hack bill as well.

My favorite quote

[stefanb]

They're trying to invent a new crime: interference with a business model.

This sums it up pretty nicely, I think.

History tells the future.

[miffo.swe]

Bruce Writes:

"It's hard to sort out the antitrust implications of Pd. Lots of people have written about it. Will Microsoft jigger Pd to prevent Linux from running? They don't dare."

I dont have the same impression of Microsoft that Bruce seems to have. If i go trough what they have done in the past there is nothing they wouldnt do to get more control. They will almost certainly have a licence tailored to make it hard for Open Source/Linux to implement it without breaking GPL.

Considering that GPL is a bigger threat to them than linux itself i assume they will take a shot at it. GPL is the one thing stopping them from stomping all over Open Source wreaking hawoc like in Simpson. They much prefer the BSD licence where they can "borrow" code since the despite their extremely big cashpile cant get people who knows how to code.

Ownership of Your Own Computer

[Greyfox]

Bruce Says: My fear is that Pd will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet.

We're already well down that road. It is very easy to see a day when the general computing device we all know and love will be illegal because it makes it way too easy to copy digital data. Nevermind that what made the general computing device popular is that it manipulates digital data so easily.

We all know what the industry wants. THe industry wants a pay per view world where every consumer pays every time he views industry owned content and the industry is protected from competition because they control the technology that allows content to be created. It isn't about fairness. It isn't about content authors getting paid. It's about greed, plain and simple.

Lots of things to think about in this piece...

[jvmatthe]

Microsoft really doesn't care about what you think; they care about what the RIAA and the MPAA think. Microsoft can't afford to have the media companies not make their content available on Microsoft platforms, and they will do what they can to accommodate them.

This brought two ideas to mind...

• Microsoft often positions themselves as a company that empowers the individual user with new software. Will this pitch ring as true when they have clearly stacked the deck to pay homage to the mighty media companies at the expense of the usual freedom that users are fast becoming used to? Or will they find a way to make less freedom seem like more, so that the individual users don't notice?
  
• My usual impression of Microsoft is that they will work around obstacles to maximizing profit. That's what C# (vs. Java) and IE (vs. Netscape) are all about. So, perhaps they'd eventually find it in their best interest to become a real media company themselves and work to lay the new foundation for replacements (or a replacement) for the MPAA and RIAA. Why not the Global Media Producers Association which encompasses all media and has a leaning towards digital distributions, effectively making the MPAA and RIAA obsolete? With such a leadership role (staying at arm's length to stave off anti-trust litigation), they could easily position themselves as the premeire distribution point for such media, without necessarily locking out other platforms (like Apple's MacOS).
  
• Wouldn't it be cool, in a way, to see Microsoft pay lip service to the RIAA and MPAA while cleverly stabbing them in the back? Microsoft is, after all, one of the most vicious hard-ball companies around, or at least has given many that impression. I say that not necessarily in a negative light, in case it comes across that way. It's kind of like enjoying watching a good bad guy in a movie. :^)
  

Ok, time for work...

Re:Isnt he being a bit harsh here?

[sphealey]

Sure, Microsoft has to date produced lots of software with security holes "large enough to drive a truck through". However bear in mind that the holes have usually been a consequence of the overriding principle of wanting to keep things user-friendly at all costs. Their past history doesnt imply anything about how secure they can make their stuff. Certainly, Microsoft hires a lot of smart people and I'm sure that if they were given the mandate to design and implement a secure infrastructure, they could do it - something that Bruce seems to think is impossible.

I would argue that it is in fact the very "smartness" of the people at Microsoft that makes it unlikely that MS will be able to create a secure product. Mr. Gates has explicitly stated (interview in Newsweek about 1995) that when he was hiring people to build Microsoft, he wanted very young, very smart people with no previous experience in the computer industry. And he got them in droves. So these very smart people came in and started rebuilding everything from scratch - without bothering to study the fundamentals or learn about what had been tried in the past.

So the smart people at Microsoft made every mistake that had been made in computing since 1938 all over again, without knowing they were making those mistakes or what their consequences would be. Networking is a perfect example: in their haste to bring something to market that would displace Novell (keeping in mind that Novell created the market for MS-DOS networking), the genuii at MS built a clumsy, difficult to manage, insecure contraption of a networking system that ignored every lesson Xerox, Novell, 3Com, Wang, and others had already learned.

And, thanks to the power of the installed base, we are now stuck with Microsoft Networking and its insecurities for at least the next 20 years, because everything has to be backward compatible with what is already out there.

So I would say a combination of smartness, arrogance, and lack of perspective is exactly what has brought Microsoft code to where it is today. And a corporate culture of that nature is very, very hard to change.

sPh

Re:hardware and software keys.

[topham]

The base assumption in the XBox paper is that the key is unique to each box. But that it isn't relevent.

Once captured off the bus the key can be revealed and used to decrypt everything else as necessary.

By the way, the hardware used may have been expensive, but the hardware PRODUCED to do it was valued by the author at about $50. So a device could be created to spit out the codes easily and cheaply. It also would not have to be attached for a long period of time, just long enough to retrieve the key. As such you could, theoretically take your xbox to a shop, and be handed the key 2 minutes later. Wouldn't have to solder anything either.

Re:Why the hardware?

[Ngwenya]

Can someone please explain why the desired level of security can't be obtained by only software?

Because the control mechanism in any von Neumann machine is in the same band as the stuff being controlled (ie, the OS - which enforces the security policy - operates in the same space - the CPU's available memory - as the programs which may, or may not, behave themselves).

Ultimately, the only way to have a secure audit trail for how a computer got to its current state is to have the verifier out of band from the verified. This is why you need the trusted component (the tamper proof verifier which can sign the logs of the host system). Assuming no-one can get to the trusted component private keys (even, or especially, the computer owner), another computer can trust the signature to be an accurate representation of the state of the original machine.

By the way, it's this in-band control mechanism which means that the Internet Protocols have an incredibly hard time defending themselves against DoS attacks - because the ICMP packets travel along the same route as the TCP/UDP packets. If you can interfere with the data stream, you can interfere with the control stream as well. The phone companies found this out ages ago, which is why whistling at 2600Hz doesn't work any more.

--Ng

Re:Usefulness of Palladium?

[rseuhs]

Unfortunately the home user won't read the article. He will read advertisement ads that promise him a computer that will make "Windows XP even more secure".

The home user bought Office 2000 because of the helpful little paperclip. He will buy this.

Wrong, the home user did not buy Office 2000. If they have it at all, they pirated it.

And that's Palladium's problem. Currently, the home user is used to pirate software/music/movies and if anything tries to stop him doing it, he will refuse to use it.

There will be a market for non-Palladium systems (to be more specific, there will be no market for Palladium systems) so companies will produce for that market. If AMD and Intel are relly so stupid to refuse to make any non-Palladium chips anymore, be ready for VIA and Transmeta chips that will be bought if there is no other chance to watch "insecure" content on the PC.

Come on, this has been tried before (DivX-hardware player) it just does not work.

Re:VM Could break Pd perhaps?

[Kaa]

VmPd runs on a PC, VmPd contains all keys required to access all areas of itself. VmPd is trusted, because it is a trusted PC (which is the point of this whole mess) to do what it is expected to do.

This might work if and only if you gain access to the private keys of the Pd hardware chip.

If you have these keys, the security is broken completely and you can do whatever you want. Getting them is the hard part.

Keep in mind that you, the owner of the machine, is NOT supposed to have access to these keys. In fact they are specifically protected against YOU.

Pd is trusted in this context means that a Pd machine is trusted by Disney, etc. to display some copy-protected crap. You, the owner, is NOT the trusted party, you are the bad guy, the malicious bastard that your machine has to be protected from.

Re:Not the MPAA's bill.

[danaris]

I'm an author and a filmmaker, I've worked with the MPAA, I've seen my work pirated, I've heard studio heads freak out about the fact that their product is available on the Internet three weeks before theatrical release.

First of all, let me say that I am in no way affiliated with anyone in the industry, and, as such, am basing my comments entirely upon what I have been able to glean from other people's accounts. Thus, if anything I say is incorrect, please feel free to correct me--I am always looking for a better understanding of this subject.

I don't think any of us here will disagree that piracy happens, and, to individuals such as yourself, it might truly be a problem. However, our two main gripes are 1) they're going about fighting it in all the wrong ways, and 2) the amount of money actually lost to the RIAA through piracy is so small as to be insignificant (to them; if any of us actually got that amount of money it would probably make us very happy), and, from what I can tell, only a very tiny fraction of that would get back to the artists/movie makers/etc.

To address these points more fully:
1) Yes, the piracy happens, and digital piracy happens, but by far the biggest piracy is analog. Most of the problem isn't people ripping a DVD of a movie and distributing that (though it happens); the problem you mentioned, movies appearing early, is usually accomplished by some insider (or semi-insider) leaking it; they have access to the original source material, so none of this would stop them from copying it. The other problem is that they are assuming the consumers are all thieves, and thus punishing everyone for the sins of a few. What they could be doing instead is looking for better ways to make buying the product attractive (like dropping prices or something).
2) The RIAA/MPAA talk about numbers of pirated copies sold in a certain period (side note: how the heck do they even know? Do the pirates tell them??), and take those, with the amounts they would have been paid, had all those copies been bought from them, and come up with an amount that they call the amount of money they've lost to piracy during that period. The first problem with this is that, if they had not bought the pirated copies, most of those people would not have bought anything from the RIAA/MPAA. Then, even if those numbers were correct, I think they could afford it. How much do they spend on campaign contributions a year? I would bet that it's at least as much. And, of course, the "poor artists" who are being robbed by the "evil pirates" would get very little of the money.

Once again, if any of this information is inaccurate, please do not be offended; instead, simply tell me what I've gotten wrong.

Dan Aris