Schneier Analyzes Palladium

bcrowell writes "This month's CryptoGram from Bruce Schneier has an analysis of what little information people have been able to glean (without signing an NDA) about Microsoft's Palladium initiative." We might as well throw in a direct link to Schneier's look at the MPAA License to Hack bill as well.

VM Could break Pd perhaps?

[Dooferlad]

The latest Crypto-Gram has some things to day about Pd, or Palladium as the full name goes. It is interesting, but it doesn't say anything about somthing that sprang to my mind - the possibility of a virtual machine that runs as a Pd device, on top of a non-Pd device, completely breaking the security. This would be hard to do I expect, but not impossible. Those who have written VmWare and similar programs probably have it in them to reverse engineer the protocols used and re-produce them in software, for the sake of argument call it VmPd.

It goes like this:

VmPd runs on a PC, VmPd contains all keys required to access all areas of itself. VmPd is trusted, because it is a trusted PC (which is the point of this whole mess) to do what it is expected to do. For the sake of argument assume we have downloaded The Little Mermaid under license from Disney, and we are only allowed to play it once. We turn off VmPd, and all we have is an encrypted jumble on our hard disk where we set up the partition to host it. We also have the keys to read it though, and simply decrypt the move and show it to our hypothetical little children as many times as we like.

This works because, as I understand it, Pd only allows you to access material with certain rights, depending on what access partition it is under. If Disney set up an access partition for downloading movies, this will be done in a way that trusts your Pd machine.

Assuming that Disney only give you a key when you pay for one, that key will always work unless they can chance how the movie is encrypted. It is conceivable that they would have a player that on-the-fly re-encrypts the movie with a new public key as you view it, every time you view it, and they only give you the new private key when you pay for it. But the transmission of the key is encrypted, trusted because you have a Pd device, so you just intercept the key on its way into VmPd, don't play the movie, and decrypt it yourself and watch as many times as you like.

I am probably missing something, but it makes for interesting thinking.

More info here

[countach]

There is more info at the EFF here. And donate some money while you're at it. That's more likely to help than a slashdot whine.

My favorite quote

[stefanb]

They're trying to invent a new crime: interference with a business model.

This sums it up pretty nicely, I think.

Ownership of Your Own Computer

[Greyfox]

Bruce Says: My fear is that Pd will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet.

We're already well down that road. It is very easy to see a day when the general computing device we all know and love will be illegal because it makes it way too easy to copy digital data. Nevermind that what made the general computing device popular is that it manipulates digital data so easily.

We all know what the industry wants. THe industry wants a pay per view world where every consumer pays every time he views industry owned content and the industry is protected from competition because they control the technology that allows content to be created. It isn't about fairness. It isn't about content authors getting paid. It's about greed, plain and simple.

vaporware... ?

[jukal]

Palladium, Pd46, Heat of vaporization 357.0 kJ/mol. I quess kJ/mol means, KiloJournalists / Microsoft's Obfuscated Literature?

Palladium (like chemists, Microsoft calls it "Pd")

[ejaw5]

as all chemistry students will learn:

Palladium (Pd) + MP[3/G/EG] (MP*) => Fire.

Lots of things to think about in this piece...

[jvmatthe]

Microsoft really doesn't care about what you think; they care about what the RIAA and the MPAA think. Microsoft can't afford to have the media companies not make their content available on Microsoft platforms, and they will do what they can to accommodate them.

This brought two ideas to mind...

• Microsoft often positions themselves as a company that empowers the individual user with new software. Will this pitch ring as true when they have clearly stacked the deck to pay homage to the mighty media companies at the expense of the usual freedom that users are fast becoming used to? Or will they find a way to make less freedom seem like more, so that the individual users don't notice?
  
• My usual impression of Microsoft is that they will work around obstacles to maximizing profit. That's what C# (vs. Java) and IE (vs. Netscape) are all about. So, perhaps they'd eventually find it in their best interest to become a real media company themselves and work to lay the new foundation for replacements (or a replacement) for the MPAA and RIAA. Why not the Global Media Producers Association which encompasses all media and has a leaning towards digital distributions, effectively making the MPAA and RIAA obsolete? With such a leadership role (staying at arm's length to stave off anti-trust litigation), they could easily position themselves as the premeire distribution point for such media, without necessarily locking out other platforms (like Apple's MacOS).
  
• Wouldn't it be cool, in a way, to see Microsoft pay lip service to the RIAA and MPAA while cleverly stabbing them in the back? Microsoft is, after all, one of the most vicious hard-ball companies around, or at least has given many that impression. I say that not necessarily in a negative light, in case it comes across that way. It's kind of like enjoying watching a good bad guy in a movie. :^)
  

Ok, time for work...

Isnt he being a bit harsh here?

[Kenneth+Stephen]

To quote : "3. Like everything else Microsoft produces, Pd will have security holes large enough to drive a truck through. Lots of them. And the ones that are in hardware will be much harder to fix. Be sure to separate the Microsoft PR hype about the promise of Pd from the actual reality of Pd 1.0."

Sure, Microsoft has to date produced lots of software with security holes "large enough to drive a truck through". However bear in mind that the holes have usually been a consequence of the overriding principle of wanting to keep things user-friendly at all costs. Their past history doesnt imply anything about how secure they can make their stuff. Certainly, Microsoft hires a lot of smart people and I'm sure that if they were given the mandate to design and implement a secure infrastructure, they could do it - something that Bruce seems to think is impossible.

Re:Isnt he being a bit harsh here?

[sphealey]

Sure, Microsoft has to date produced lots of software with security holes "large enough to drive a truck through". However bear in mind that the holes have usually been a consequence of the overriding principle of wanting to keep things user-friendly at all costs. Their past history doesnt imply anything about how secure they can make their stuff. Certainly, Microsoft hires a lot of smart people and I'm sure that if they were given the mandate to design and implement a secure infrastructure, they could do it - something that Bruce seems to think is impossible.

I would argue that it is in fact the very "smartness" of the people at Microsoft that makes it unlikely that MS will be able to create a secure product. Mr. Gates has explicitly stated (interview in Newsweek about 1995) that when he was hiring people to build Microsoft, he wanted very young, very smart people with no previous experience in the computer industry. And he got them in droves. So these very smart people came in and started rebuilding everything from scratch - without bothering to study the fundamentals or learn about what had been tried in the past.

So the smart people at Microsoft made every mistake that had been made in computing since 1938 all over again, without knowing they were making those mistakes or what their consequences would be. Networking is a perfect example: in their haste to bring something to market that would displace Novell (keeping in mind that Novell created the market for MS-DOS networking), the genuii at MS built a clumsy, difficult to manage, insecure contraption of a networking system that ignored every lesson Xerox, Novell, 3Com, Wang, and others had already learned.

And, thanks to the power of the installed base, we are now stuck with Microsoft Networking and its insecurities for at least the next 20 years, because everything has to be backward compatible with what is already out there.

So I would say a combination of smartness, arrogance, and lack of perspective is exactly what has brought Microsoft code to where it is today. And a corporate culture of that nature is very, very hard to change.

sPh

So tell them!!!

[DoctorFrog]

Unfortunately the home user won't read the article. He will read advertisement ads that promise him a computer that will make "Windows XP even more secure".

The home user bought Office 2000 because of the helpful little paperclip. He will buy this.

Being defeatist about it doesn't do squat. I bring these kinds of articles to work. I leave them in the lunch room. I don't have to proselytise any more than that; everyone knows it's me leaving them, and they ask me. I tell them what's going on and what they can do about it, including the downsides ("You will have to learn more about your computer. You will have to do some research before you buy new hardware. You won't have as many commercial applications available, and that includes games.").

I keep a supply of Live-CD distros in my desk and I give them away. Microsoft has lost several Joe Sixpack level customers from this activity. I will help people do the switch, while making it clear to them that I'm not an expert or a professional, just a guy willing to help; I will always make a full backup if they have a burner (except for XP), and I will always recommend a dual-boot at least to start with, and I will always promise to do my best to restore their system (no guarantees) if they decide to go back to all-Windows. So far no one has taken me up on that last one.

Re:Why the hardware?

[Ngwenya]

Can someone please explain why the desired level of security can't be obtained by only software?

Because the control mechanism in any von Neumann machine is in the same band as the stuff being controlled (ie, the OS - which enforces the security policy - operates in the same space - the CPU's available memory - as the programs which may, or may not, behave themselves).

Ultimately, the only way to have a secure audit trail for how a computer got to its current state is to have the verifier out of band from the verified. This is why you need the trusted component (the tamper proof verifier which can sign the logs of the host system). Assuming no-one can get to the trusted component private keys (even, or especially, the computer owner), another computer can trust the signature to be an accurate representation of the state of the original machine.

By the way, it's this in-band control mechanism which means that the Internet Protocols have an incredibly hard time defending themselves against DoS attacks - because the ICMP packets travel along the same route as the TCP/UDP packets. If you can interfere with the data stream, you can interfere with the control stream as well. The phone companies found this out ages ago, which is why whistling at 2600Hz doesn't work any more.

--Ng