Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier Analyzes Palladium

Posted by michael on from the verrrrry-interesting dept.

bcrowell writes "This month's CryptoGram from Bruce Schneier has an analysis of what little information people have been able to glean (without signing an NDA) about Microsoft's Palladium initiative." We might as well throw in a direct link to Schneier's look at the MPAA License to Hack bill as well.

5 of 270 comments (clear)

  1. My favorite quote by stefanb · · Score: 5, Insightful
    They're trying to invent a new crime: interference with a business model.

    This sums it up pretty nicely, I think.

  2. Ownership of Your Own Computer by Greyfox · · Score: 5, Insightful
    Bruce Says: My fear is that Pd will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet.

    We're already well down that road. It is very easy to see a day when the general computing device we all know and love will be illegal because it makes it way too easy to copy digital data. Nevermind that what made the general computing device popular is that it manipulates digital data so easily.

    We all know what the industry wants. THe industry wants a pay per view world where every consumer pays every time he views industry owned content and the industry is protected from competition because they control the technology that allows content to be created. It isn't about fairness. It isn't about content authors getting paid. It's about greed, plain and simple.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  3. Lots of things to think about in this piece... by jvmatthe · · Score: 5, Insightful
    Microsoft really doesn't care about what you think; they care about what the RIAA and the MPAA think. Microsoft can't afford to have the media companies not make their content available on Microsoft platforms, and they will do what they can to accommodate them.

    This brought two ideas to mind...
    • Microsoft often positions themselves as a company that empowers the individual user with new software. Will this pitch ring as true when they have clearly stacked the deck to pay homage to the mighty media companies at the expense of the usual freedom that users are fast becoming used to? Or will they find a way to make less freedom seem like more, so that the individual users don't notice?
    • My usual impression of Microsoft is that they will work around obstacles to maximizing profit. That's what C# (vs. Java) and IE (vs. Netscape) are all about. So, perhaps they'd eventually find it in their best interest to become a real media company themselves and work to lay the new foundation for replacements (or a replacement) for the MPAA and RIAA. Why not the Global Media Producers Association which encompasses all media and has a leaning towards digital distributions, effectively making the MPAA and RIAA obsolete? With such a leadership role (staying at arm's length to stave off anti-trust litigation), they could easily position themselves as the premeire distribution point for such media, without necessarily locking out other platforms (like Apple's MacOS).
    • Wouldn't it be cool, in a way, to see Microsoft pay lip service to the RIAA and MPAA while cleverly stabbing them in the back? Microsoft is, after all, one of the most vicious hard-ball companies around, or at least has given many that impression. I say that not necessarily in a negative light, in case it comes across that way. It's kind of like enjoying watching a good bad guy in a movie. :^)

    Ok, time for work...
    --
    Curmudgeon Gamer: Not happy
  4. Re:Isnt he being a bit harsh here? by sphealey · · Score: 5, Insightful
    Sure, Microsoft has to date produced lots of software with security holes "large enough to drive a truck through". However bear in mind that the holes have usually been a consequence of the overriding principle of wanting to keep things user-friendly at all costs. Their past history doesnt imply anything about how secure they can make their stuff. Certainly, Microsoft hires a lot of smart people and I'm sure that if they were given the mandate to design and implement a secure infrastructure, they could do it - something that Bruce seems to think is impossible.
    I would argue that it is in fact the very "smartness" of the people at Microsoft that makes it unlikely that MS will be able to create a secure product. Mr. Gates has explicitly stated (interview in Newsweek about 1995) that when he was hiring people to build Microsoft, he wanted very young, very smart people with no previous experience in the computer industry. And he got them in droves. So these very smart people came in and started rebuilding everything from scratch - without bothering to study the fundamentals or learn about what had been tried in the past.

    So the smart people at Microsoft made every mistake that had been made in computing since 1938 all over again, without knowing they were making those mistakes or what their consequences would be. Networking is a perfect example: in their haste to bring something to market that would displace Novell (keeping in mind that Novell created the market for MS-DOS networking), the genuii at MS built a clumsy, difficult to manage, insecure contraption of a networking system that ignored every lesson Xerox, Novell, 3Com, Wang, and others had already learned.

    And, thanks to the power of the installed base, we are now stuck with Microsoft Networking and its insecurities for at least the next 20 years, because everything has to be backward compatible with what is already out there.

    So I would say a combination of smartness, arrogance, and lack of perspective is exactly what has brought Microsoft code to where it is today. And a corporate culture of that nature is very, very hard to change.

    sPh

  5. Re:Why the hardware? by Ngwenya · · Score: 5, Insightful

    Can someone please explain why the desired level of security can't be obtained by only software?

    Because the control mechanism in any von Neumann machine is in the same band as the stuff being controlled (ie, the OS - which enforces the security policy - operates in the same space - the CPU's available memory - as the programs which may, or may not, behave themselves).

    Ultimately, the only way to have a secure audit trail for how a computer got to its current state is to have the verifier out of band from the verified. This is why you need the trusted component (the tamper proof verifier which can sign the logs of the host system). Assuming no-one can get to the trusted component private keys (even, or especially, the computer owner), another computer can trust the signature to be an accurate representation of the state of the original machine.

    By the way, it's this in-band control mechanism which means that the Internet Protocols have an incredibly hard time defending themselves against DoS attacks - because the ICMP packets travel along the same route as the TCP/UDP packets. If you can interfere with the data stream, you can interfere with the control stream as well. The phone companies found this out ages ago, which is why whistling at 2600Hz doesn't work any more.

    --Ng