Slashdot Mirror
Questions for a Lecture on Microsoft's Palladium?
An anonymous reader asks: "Microsoft is going to be giving a lecture on Palladium
for my Computer and Network Security class at MIT this Thursday. We're told that it's going to be the most technically detailed lecture publically given to date, and that we should be armed with questions as a result. Any suggestions from the Slashdot crowd? What technical details have you been dying to know about Palladium?" It would be interesting to hear back from someone who is planning on attending this. For those who wish they were, but can't for one reason or another, what would you have asked by proxy?
No matter what your first question is, if it's from Slashdot, your second question will be:
Why won't you answer my first question?
"Will it run Linux?"
ask them to stop being asses and see how they respond.
Slash-for-Thought
Honestly, Microsft, what are you try to achieve here?
That would be my question... i would then rebut it with "What would you like on your Tombstone?"
Hey, this is my sig, if you don't like it, STOP READING MY POSTS!
Why did you choose to build your new processor out of Palladium.
Silicon, with aluminium or copper, is the more traditional choice.
...that you'll adopt Palladium if Steve runs and jumps around like an idiot for an hour. Then after he's done, tell them you were just kidding. He could use the exercise.
More of a basic business question, but didn't anyone learn from Intel's ill-fated processor serial number "feature" in the Pentium III, or the Div-X movie fiasco? Why would consumers want this at all, and why will they choose it over other alternatives?
Read this for some good info.
Since when did you side with Fritz and Disney?
The biggest question in my mind on Palladium is how it's supposed to help users. Why we're supposed to use it, instead of just keeping on using our old Palladium-free computers.
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
We don't need palladium for viruses...this just seems like a system for pervasive DRM. Why do we need this?
And how does "trust" have anything to do with Palladium. Palladium is a system of control, not of trust.
Are there any plans to have this webcasted via audio or video, or at the vary least transcripted for our analytical pleasure?
MIT's page makes no mention of any intention to do this, and seeing how it will apparently be the "most technically detailed lecture publically given to date," I think that the public would benefit greatly from such a service.
Maybe it isn't as technical as you want the questions to be, but I'm interested in the answer:
Can open source software and Palladium coexist?
Have you been stalked by Seth today?
The question i would most like to see them confronted by (though i most likely know the answer) is: Microsoft has been called a monopoly in the PC market, it maintains control over more than 95% of the desktop market. Since the only operating system that can even compare to windows (desktop wise) on the PC is linux. If palladium is integrated won't this mean death for linux and Microsofts complete domination over the desktop market? They will most likely try to sugar cote thier answer, or say that linux should go closed source (HA!) however it will boil down to "Yes".
History will be kind to me, for I intend to write it - Sir Winston Churchill
How many hot man-on-man sessions went on in the high spheres of corporate power for Palladium to happen?
I'm curious who Microsoft expects to be the target customer base for this software, do they expect home users, or businesses. Will this be used in general across an office, or possibly only for machines that require high security (e.g. servers with remote access)? It seems that the average home user wouldn't want to be troubled with some of the new security features, and since technologies of questionable legality (mp3, divx, etc.) are becoming popular in the main-stream now, many people would actually be opposed to some of the new security measures. So, since Microsoft has typically targetted an average home user with their products, do they expect to win over the home user market for this new product, or do they simply plan on a small user-base that requires a more substantial amount of security at first, then try to make the system more wide-spread among consumers later?
What will Palladium do to those of us who release independent content? (As in, independent of major corporations.)
The only way I can see it possible to effectively implement DRM is to require computers to not play any digital content that does not have a valid encrypted signature, as provided by the various media companies, and/or Microsoft and Intel.
My main concern, is that independent producers/composers/moviemakers will be locked out of distributing digital content, because the companies involved in Palladium, and other DRM schemes, can choose to withhold issuing these encrypted signatures to them, therefore rendering their content unplayable on Palladium-enabled systems.
I feel, as a copyright owner, and musician, that this infringes upon my rights to distribute my work signature-free, for anyone to be able to play. I do not want a special tag on my releases telling people this is official. I would just like to see my stuff "out there". Therefore, this infringes upon my right to the "pursuit of happiness", as ordained by the constitution.
Anyone else have thoughts?
-----
"You spilled my egg... I needed that egg."
When will the specs be released in enough detail to enable people to write a nub (or "nexus" or "trusted operating root")?
Will there be any consideration of key management systems that would allow one, for example, to trust any kernel signed by (ie.) RedHat?
Will applications have to care about this sort of thing, or will one nub look the same as any other to them?
Will Microsoft assume liability for when Palladium breaks, or are they going to hide behind some shrink-wrap/click-through agreement that says that they (Microsoft) can't be held liable for anything?
How about:
;)
"Given your woeful record on security in the past, what makes anyone at M$ think they can do anything right with security in the future?"
(No matter what the reply)..follow up with:
"So, is this _really_ about security then???"
From what I have gathered, NO code can run on palladium enabled hardware that is not signed by Microsoft. I am concerned not just about Linux, but about all open source and individual development in general.
Will code I write be able to be run on different Windows machines, or will I be restricted to my local environment barring a signature from Microsoft? From what I have read so far it is the latter and that is frankly terrifying.
Are they releasing details on when they plan on invading Poland? Just so i can be sure to leave The Continent before then.
I refuse to have a sig... dammit!
Quote: "Your compatible with the internet..." lol, compatible with the internet
-Siggy!
Are they going to give a handout listing all the exploits and security holes Palladium will include?
I should have picked out the nickname Demosthenes!Tecumseh.
Trolls and humor aside, I would like to know how they are expecting to fix problems with Palladium should they arise. The only way they can fix X-Box "security" problems right now is to release X-Box 1.1, and if they have to re-release computers to fix security problems, how would they do it? and who gets the bill? (maybe I shouldn't ask that last question...) And what is to stop people from mod-chipping computers? At any rate, I believe like many of my fellow /.'ers that X-Box is a Palladium Preview... or Rhodium (the element before Pd, get it?)
Hmmm.. On that note, maybe Palladium is a preview to Microsoft Silver?
I'm the Devil the Windows users warned you about.
Will the Palladium chips also be the rumoured native MSIL (MS Intermediate Language) processors?
Micro$oft sucks! Down with Micro$oft!
Why does tom care?
Someday, I'll have a real sig.
You talk about Palladium being trusted and secure computing. Are there any provisions for backdoors so any content generated by the "secure" technologies can be monitored? If so, how secure will these backdoors be from malicious hackers?
Find a job you like and you will never work a day in your life.
How is Palladium supposed to help or "enhance" the users experience?
In my opinion this is going to just frusterate the every day user, and make the "hacker" laugh at Microsoft's effort of a controlled system. The average user wants to go on his/or her computer - listen to music & chat.
They do not want some "secure" music file, they just want to be able to listen to the song. They don't care if its authenticate, or if it contains a "virus".
I believe that this is just a useless effort on Microsoft's part, and lots of wasted time & money for the user.
And for my lead on..
How much is this going to cost Microsoft to develop? For the bug fixes & patches because of Screw ups in the development proccess which don't let me open my Microsoft Powerpoint file.
Free means no restrictions, ironic the FSF's GPL forces restrictions, isn't it? What's your definition of free?
What options are likely to exist for people that do not wish to use Palladium?
Will Pallidium come integrated with Longhorn and all future M$ products, or will there be an opt out program where you can choose to not use Pallidium.
Isn't this just a copied and pasted troll? It sounds vaguely similar to messages I've seen replying to every other pro-Linux post for a while, and frankly, it's starting to get old.
Ask them what they are going to do after they
1) dictate what programs you can run on your computer
2) dictate what content you use with those programs
3) ?
Once Palladium has gained market acceptance, will the borg-gear be a requirement, or more of a 'perk' for loyal customers and trusted partners?
microsoftword.mp3 - it doesn't care that they're not words...
Why do we our computers to protect us from ourselves?
Yeah, here's a question. Since every "security" initiative or technology MS has ever introduced has been a complete pile of crap, why should we expect that Palladium will be anything more than a way to help you continue your current dominance of the consumer computer market?
I'm sure a lot of mods will lump this into the Slashbot category, but be realistic: Microsoft has an egregiously bad track record when it comes to security in their products, and they are a convicted monopolist. This entire scheme smacks of an attempt to control your computer's hardware, not just your software, not to mention further abusing their monopoly power. Why should I trust a damn thing Microsoft says?
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Ask questions that will make the lecturer either reveal how evil it is, or make his evasions obvious. Possibilities:
1. If you turn it off - as MS claims they're going to allow - will the system then appear to apps, content & the network as "a Palladium PC with Palladium turned off" or as a non-Palladium PC? (Hint: it's the former.)
2. Will I still be able to flash my BIOS? *All* of it? replace it completely? (Assuming TCPA hardware, they're lying if they say 'yes'.)
3. Why would I want to buy this, if I'm not interested in Hollywood movies but do want complete control over my computer?
Rate me off-topic, but (esp. considering MIT's OpenCourseWare) I think I would love to attend that meeting virtually or watch some digitally available copy of that session... Is that possible? :)
And if I could pose a question, I would probably ask how they would try to fight the immanent problem that people always find a way to beat copy protection, since the beginning of sold 8" floppy disks, and there will be no way to prevent that in Palladium either, I swear...I would like to know one thing. It's to do with this combination of words:
Microsoft. Computer and Network Security. Lecture. MIT.
Ha.
I'm sorry. I just don't understand how Microsoft is able to lecture students on the merits of their (closed, proprietary) technology at a university. What is the purpose of their visit, and how did it come about? Are they going with the intent of selling the idea of Microsoft 'security' to students (who, of course, would eventually be prospective employees or clients)?
I suppose I'll actually be pretty suprised if they were there in a serious, technical (and non-marketing) capacity given Microsoft's blatant hatred of the opinions of others when it comes to anything that doesn't fit their corporate vision. This also seems odd remembering their policy of (in)security through obscurity.
Just walk out of there if they try to make you sign anything.
Why should one buy a more expensive Palladium compatible computer if they can buy a cheaper non-Palladium one?
Why would a company restrict the content they provide and thrus limiting their consumers with a tecnology that will divide the world and conquer nothing?
Cheers...
They might not have an answer for this, exactly, but I'm sure I'm not the only one who's dying to know: What the FUCK?
A. After it is released what is the ETA of the hack that will work around Palladium?
B. How many months will it be before MS comes out with a patch for the above mentioned hack?
Question: Do any non-industry customers (ie. consumers) actually WANT Palladium or any other DRM technology? As a "feature" that would restrict a user's ability to use and/or manipulate data in certain formats, doesn't this represent a step backwards from the enormous utility of personal computing?
Editorial - I can see people moving in droves back to high-quality analog video and audio editing as a result of DRM technology being forced upon consumers. The whole point of a fast digital computer is to rapidly and conveniently manipulate digital data regardless of the format on a single machine, so any restrictions on doing so is a step back towards single-use analog or simple digital circuits.
Don't they SEE what they're doing in the big picture? The day a personal computer won't compute what you want it to compute is the day you switch to something that will, plain and simple. They're playing with nothing less than the death of the general purpose processor.
In a funny strange way, yes.
Just stick with AMD and bypass the M$-Intel kingdom altogether
Dude, it is +184 funny
looking.
You can hack anything you want with TECO and DDT
3) profit!
(more likely "go bankrupt", but with luck they're foolishly thinking it'll work.)
What plans are there to be Rendezvous compliant?
The great technology boom of the 80's and 90's - and the wealth that was created as a result - happened because ownership of Personal Computers became widespread. Microsoft and Intel were two of the key players that triggered that explosion. One of the most important reasons people brought PCs was because they could write or run any software on them. They were open systems controlled by the user - not a corporation. Unlike the mainframes and minicomputers that preceeded PCs you could run the software you wanted and you didn't have to seek permission from yourIT staff.
Does Microsoft really believe its best course is to enforce a return to the bad old days of corporate control of computing through Palladium and other DRM mechanisms? Doesn't this route open up the way for a competitor to give people what they really want - control over their systems? Isn't this the beginning of the end for Microsoft?
Sailing over the event horizon
a bit redundant, but, I have to ask and stress someone does a good job of asking it. Someone has to ask about open source Say it in such a way that you don't mention Linux, but say "third party" operating system Also ask about how it will affect open source. Ask about how applications get certified to run on palladium enabled chips.
I hate to point out the obvious, but being that slashdot is an open forum, Microsoft (and their lawyers) will surely be watching for the most interesting questions, and preparing appropriately non-controversial answers for them. Ergo, anything you ask here is likely to get a marketing non-answer, rather than a real answer....
:-)
Just something to keep in mind
---- I made the Kessel Run in under 11 parsecs.
Since security is an area that Microsoft has failed in every attempt they've made, how is this going to be different?
Yeah, it's a troll question, but it IS what I would ask.
-- Will program for bandwidth
Let's suppose for a moment I'm writing a front-end for a database using Microsoft Studio... Then I compile the code...
;-)
If I can't run unsigned apps, how will I run my own code, even though I used 100% Microsoft tools to do it?
(BTW, I don't run any Microsoft applications and I build my own machines, so I would never run a DRM-enabled system, but hey, you asked for some questions
...to put in back doors for their use?
-- Slashdot: When Public Access TV Says "No"
Actually, I don't see this as a troll at all. I think it is a (mostly) well written and non-hostile statment which makes the point well. If it was actually posted by a logged in user (and I had mod points) I would mod it up. It is a fair, honest, and civil argument.
Are you astroturfing for fun, or profit?
Thank God my XP box is compatible with the Internet. I can tell The Internet is working, because ZoneAlarm keeps telling me when Media Player tries to Phone Home.
Microsoft is getting into the heavy metals industry now? They have their hands in everything!
I expected I little more respect for something that could end the way we now look at computers, but anyhow...
M$ said that they would release the code/schematics. Given M$ past, how can we trust that what they say is in there really is in there? Will it be an option to accept like the current activation, sure u don't have to activate, but then u only get to use it for x many days? Can I compile, run, and publish my software without submitting it to M$ to get the required signature to run the binary on a box with the big P? With M$ being found in violation of antitrust laws, are we all agreeing to just hand over a security monopoly, that may entail only M$ OS's being able to run new binaries? The whole thing sounds a bit anti-competitive.
Do whatever you can, come to class late, go to the bathroom when they're passing them out, volunteer to collect the forms and "lose" yours. Get your TA to "lose" yours.
Since Brian LaMacchia was an MIT doctoral student of Hal Abelson who is the prof concerned, chances of that happening are nil. I presume he is giving the talk as he is also speaking at another event on Friday.
Brian designed much of the security architecture for dotNET which is pretty much state of the art for network application security. He also started the MIT PGP key server. Whatever Microsoft's past reputation might be, Brian is not responsible. Don't confuse the security abilities of the folk who write IIS or Outlook with the abilities of security specialists. As a group there are very very few organizations where anyone listens to us. Netscape had a really bad problem with security until they hired Taher and the brothers Weinstein and they only got listened to there because Netscape got burned baddly in several fiascoes in succession - like SSL 1.0 being broken before Marc sat down at the end of his presentation, the random number bug which they had been warned on repeatedly, etc. etc.
Don't fool yourself, all computer software companies have security problems that need to be addressed. I don't think the open-source scheme to get security consulting for free is going to be a good long term solution.
The point that slashdot people miss on Palladium is that for years the common rebuttal to a lot of security solutions has been 'you can't do that without trusted hardware'. So the fact that MSFT is pumping money into developing a trusted platform is a significant step forward.
OK folk may not like trusted hardware being available to the RIAA, but they are not the only people who can benefit. It is kinda like the same situation we had with key recovery and Clipper. Freeh was right, there are commercial uses for key escrow, it is kinda a problem if you have an encrypted disk and there is no copy of the key anywhere. Problem was that Freeh's illegitimate demands killed the legitimate market. Don't let the RIAA do that with Palladium.
For example storing your credit card # on a PC makes no sense, people still do it. They can do it a heck of a lot more safely if there is a trusted platform which will only allow trusted wallet applications access to that key.
Another example, for years we have wanted to have PCs that simply refuse to boot except to repair mode if the O/S has been tampered with. That way a trojan or virus can't lurk for years. Tripwire tries to do something like this but it really is a substitute for secure H/W
The Palladium folk know that any hardware scheme is vulnerable to hardware attacks. That does not make such schemes unworkable however. Despite the fact that smartcards are vulnerable to electron microscope attacks they do raise the bar significantly.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
The antidote for misuse of freedom of speech is more freedom of speech.
-- Molly Ivins
Having picked up the exploded pieces of grey matter that result from trying to read what little technical information exists on Palladium (and it's relation, the TCPA), the one thing that concerns me about the new DRM initiatives more than any other remains unanswered.
My current understanding is that DRM allows signed software or sealed content to specify what software environment it is running in or being played back on. It's based on the ability of the software to trace back and verify the cryptographic digital signatures issued by "certification authorities".
From a technical standpoint, the certification "authorities" could be anybody. My question then becomes what level of control users will be allowed to have over who will certifiy their software. Who will be the ultimate authority? Microsoft? Other software vendors? Any software vendor? Artist representatives? Joe blow down the street? Or, hopefully, whosoever the owner selects?
I can think of a number of interesting applications for the technology that could work just as easily for cunsumers as against them:
1) A consumer rights group certifies Customer Relations Management software that is built for the express purpose of preventing the copying & dissemination of consumer information. If music publishers can effectively copy-prevent music, the same technology can be used to copy-prevent consumer data.
2) A problem in a number of P2P applications is in insuring the behaviour of various actors on the network, to prevent malicious logging, flooding, misrepresentation, etc. Certifying running software would be a step toward minimizing problems like these.
The technology is promising, in theory. The problem isn't technological, but political, so my question is - who is going to be permitted to create and select their own trusted roots, and what hoops are going to be erected in order to activate or become one?
You've went to a lot of trouble to make the Fritz chip uncrackable, but Palladium has to be enforced in software. Taking control of the boot loader was a good idea, but what do you do when someone exploits a buffer overrun or a backdoor--or a macro in Word 95--to run arbitrary code, and disable all Palladium features. Isn't all your effort completely useless?
I see alot of questions here that refrence things from the open source movement. I would use more ambiguous words in their place because as soon as the folks from MS realize that your into open souce they're going to give you the run-around. IE, don't say open source projects, say personal software projects. in place of Ogg Vorbis, say alternitive audio codecs.
There was a MS representative at the career fair here at UVA and as soon as I mentioned the word linux, the conversation pretty much ended.
my other penis is a vagina
1. Will turning Palladium "off" ALWAYS be an option in the future?
2. What is plan "B" for a TPA (trusted computing architecture) when Palladium hardware security is defeated and anyone can run bogus signed code?
( I secretly want them to answer "Why, that's impossible, no one could ever break Palladium." )
* The Titanic was an UNSINKABLE ship! *
I. Who will be responsible for maintaining the list of valid "certificates" identifying secure environments? How will a site identify those who it trusts?
II. Under palladium, what mechanism will there be to "upgrade" to newer computer equipment, or restore material from backups to a replacement system?
III. How will the individual shareware or freeware developer be able to develop code that runs in the palladium secure portion.
IV. For security, you need to have a root "key" that decrypts all others. However, this key has to go over an unsecure bus (typically LPC bus). LPC sniffers were used in the X-box hack, how will palladium remain secure from these.
I am posting anonymous for a reason. If you agree with these questions, please mod me up.
Do you really think Microsoft cares or reads ./ ?
They probably block it on their proxy server since it would dishearten all their employees and create morale issues.
Also, ./ would be filled with more whining, e.g.
"I don't understand, we are just trying to make great software. Why do they hate us so much?"
1. Will it be possible, as a home user, to create and digitally sign a creative piece of work? Such as, a home movie?
2. What ramifications will this have on digital content created before the introduction of Palladium? Will it still play?
3. Will the information necessary to create a Palladium enabled viewer be available to public? Or will we only be able to use Windows Media Player to play Palladium enabled content? What are the projected licesing costs for a company that wishes to create a viewer that is able to view Palladium enabled content?
4. Will hardware that requires a signature be able to run content that does not have one? (if yes) Will this then mean that any software that pre-dates the hardware must be upgraded? (if no) Then how will this system differentiate between a desired, older, program, and a virus?
Necessity is the mother of invention.
Laziness is the father.
Will Palladium potentially exploit the CPU ID Intel might add to its chips to address piracy/license management? If Palladium uses a unique CPU ID as part of it security/trust scheme, will this prevent some using a virtual machine product like VMware to run multiple logical machines on a single CPU?
MS has made much hype about how Palladium will improve end-user security against email viruses.
Q1) What will Palladium accomplish for end-user security that couldn't be accomplished by turning off auto-execution and refusing to execute email attachments ? I.e. an audio/x-midi attachment should be *PASSED AS A DATA FILE TO MPLAYER*, rather than executed directly. This would've stopped KLEZ dead in its tracks.
Q2) A couple of names... "Aldrich Ames and Jonathon Pollard". Given that the CIA can't keep secrets, how does Microsoft expect to ? All it takes is one mole in MS, or one disgruntled employee to give out Microsoft's authentication signature. And every virus will show up as a "properly signed app". *WHY DON'T YOU GUYS TURN OFF AUTO-EXECUTION FER-CRYIN-OUT-LOUD* ???
Q3) Microsoft has Palladium patented like crazy. How much will MS charge to allow allow Open Source apps/OS's to run under Palladium ?
Q4) What restrictions/conditions, if any, will Microsoft place on Open Source or any 3rd-party apps/OS's to run under Palladium ?
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Comment removed based on user account deletion
I would like proof that this is actually happening.
There is nothing anywhere to confirm this.
Suppose I have a commercial application that I wish to release on the next MS platform. How much will it cost me up front to even get that program to run on other computers so I can sell my product?
When communicating with others online, and sending documents to others online, will any third party have the rights (using this technology regaurdless of what YOU may or may not do with it...is it possible) to deny me from sending my documents thanks to these new security features?
>>Do you really think Microsoft cares or reads ./ ?
4 25 5&mode=flat&tid=109
uh...yes?
http://slashdot.org/article.pl?sid=02/10/15/004
guns kill people like spoons make Rosie O'Donnell fat.
It's "How can IIS run on a trusted system?
Ask M$ on how long will it take for a hacker to crack the code ? And how long will it take for a Nimda type virus will be written for it?
/ONLY playing devil's advocate; DON'T get on my case as this is not how I really feel/
Their answer will be:
"Providing adequate protection for digital content helps ensure that the quality of that content is protected, and maintaining the rights of the content producer will help maintain the quality of their work, which helps us all."
Again, I don't agree with this nor do I think it is a compelling reason, but if I were a Microsoft Market-bot-3000, that would be my standard output.
El Karma: excelente(principalmente la suma de moderación hecha a los comentarios de los usuarios)
I would ask them to stop "using" and "studying" slashdot as a marketing tool. I wouldn't be at all surprised if one of the MSFT reps posted this to ask_slashdot so they can make Palladium more marketable when they take it public. Why else would it be posted by an anonymouse coward (much like myself?). We (the hardcore/critical techies) are going to fire out our best questions and they're going to use them to practice: a) dancing around the questions and b) working on the general public marketing for the upcoming Palladium rollout. They'll end up smoothing everything over such that only the most extreme issues remain and they will promptly write those remaining issues off as "extremist" and unrealistic views.
C'mon people... Microsoft is/are not stupid. They KNOW the importance of slashdot and are therefore ALL OVER IT.
You're naive if you think otherwise...
Also, will palladium require a new secure internet protocol, and new secure routing protocols?
Maskirovka
MS Palladium, is that like the London Palladium where they have all the pantomimes at Christmas Microsoft security Ha.. he's behind you.
I have been finding more and more that Mac OS X is becoming a more competitive solution for doing just about anything a normal person would want to do. Are there any DRM features planned for Apple platforms? Is it there already and I just havn't heard about it? If they make things too hard for people many users will buy a mac and go back to enjoying their computing experience. There will still be those who are afraid to change because they just havn't used a mac that much (my brother is in that group). I hoever have no fear for switching operating systems again. I've done Windows, then Linux and so if ease of use is a concern I'm sure using OSX will be easy enough. If I get confused I can just open up a bash and I'll be feeling right at home. Anyway, this turned into a bit of a rant, but I hope my point was clear. Make things too hard for people and they will walk away. Of course you can always bulley them into thinking they'll miss something if they leave, but last I checked that only happens in abusive relationships...
Where does the balance of the user's rights and the content creator's rights equal out?
Will you stand up right now and state that the foundation of fair use - which our education depends on vitially - will not be burried by the media creators.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
their pants must surely be quite large,since this palladium thing takes some huge balls.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
"Microsoft is evil, blah blah blah..."
Now that's out of the way, let me remind you that there's a lot of truth to this often repeated statement. Palladium is, in a lot of ways, a cool, if horribly unoriginal technology (the concept of making software dependent on the presence of hardware to run has existed since dongles).
Regardless of how cool, funny, or "weak" it is as many of you claim, Palladium has two purposes. 1) Palladium is meant to make other deep-pocketed interests happy (more money for MS). 2) defeat any and all competition to Microsoft products.
It's very clear: Microsoft has the say-so in what code gets to execute on a Palladium-tainted computer. What code do you think will be allowed to execute?
You will argue: "It will be cracked." "We can stick with old computers." "This will not be accepted by businesses/consumers." But those arguments are either irrelevant or fall flat on their faces.
First of all, I agree. It will be cracked without a doubt. But do 99% of the users out there know how to use such cracks to free themselves? Do any of you crackers out there realize how complex this system is?
Second, we cannot stick with old computers. This is evident by the fact that there are hordes of users out there running 1GHz processors with half a gigabyte of RAM for the purposes of checking their email. Plus, software will always get more sophisticated and people will always want higher framerates, and so on. New computers will be purchased.
Last, of course consumers and businesses will buy up Palladium hardware! This is, without a doubt, the most absurd assumption anyone can make! "People don't want another DivX!" "People don't want to give up their rights!" Bullshit. People do not even know what their rights are. Not to forget that marketing spins already exist that are meant to convince people that they are getting something (increased security) when they are having something taken away. (Apologize to the guy who coined that phrase.)
Palladium is very real, and it is a very real threat. It will be adopted if it is allowed to continue. Even if we educate the public, it will press on (after all, users running Windows left and right, despite superior alternatives)? Sadly, I have no suggestions on how to deal with it... but we must certainly not take it as a laughing matter.
Why bother.
If we're going to feed you questions... will you be giving us back the answers?
I'd love to hear the responses, and it only seems fair...
Seriously, IBM was at the top of the PC world in the mid-80s when they tried to act god-like.
They introduced the PS/2 and with it MCA. They even had the gall to threaten all clone manufacturers with retroactive licensing fees. They wanted the PC world for themselves, but clone makers stuck to their guns.
With so many alternatives, consumers voted with their pocketbooks, clone makers fought back, and IBM permanantly lost their lead in the PC marketplace.
Why does Microsoft think this won't be another PS/2, a death-knell for a company who thinks itself to be impervious?
Apple's products have come closer to price parity with PCs every year, and OSX could gain incredible momentum, given the proper influence. Now more than ever distributions like Mandrake and Redhat are making Linux a usable alternative for the x86 platform. I personally believe this could be more than just a bust for MS, in the current climate it could be a critical error.
Man is the animal that laughs.
And occasionally whores for Karma.
Those involved in dreaming up this Palladium scheme are surely corporate spies from Apple.
134340: I am not a number. I am a free planet!
I suggest not asking any questions whatsoever.
Why give them any ideas?
Let them introduce their best shot at their own innovation (if it's not too late for that already).
the last chip I buy until this blows over will be the fastest one that doesn't have this crap in it. can you tell me which one that will be?
If you mod me down the terrorists will have won
use that Val chick again to spread your lies or are you going to get somebody new?
I have followed the microsoft's palladium project since it has discussed publicly, i also have not booted a microsoft opersting system for over a year now. If I were graced with the oppertunity to attend this gig, I would ask him what the palladium project means for open source projects such as Linux, the BSD's, and HURD. And what part exacty does Intel play in all of this, considering that microsoft and intel have been in-cahoots since the beginning. By the way don't be surprised if he declines the question or labels it 'off subject'.
In fact, stay away from the obvious questions in general. Answers will have been prepared and you will waste your time.
If you want to make them squirm, you need to come up with some direct and highly pointed questions that will be very difficult to avoid answering directly without making it very obvious they are so avoiding it. (You can't prevent avoidance, but you can try to make it obvious that that is what they are doing.)
If I could ask a question, I'd try something like the following:
- What kind of data recovery plans will exist if I buy $1000 dollars worth of digital music that is tied to my processor, only to have my processor get fried in a power surge? Will there be any way to recover my investment, or is it lost? If so, what's to prevent hackers from using that recovery mechanism? If not, how can this be a benefit to customers?
The meta-point: Perfect protection implies no recoverability. Recoverability implies imperfect protection. You can not have it both ways.It's pointed, and it will be very difficult to avoid giving an answer, or making it obvious there isn't one. Either there is a recovery procedure, or the customer is SOL... it's pretty binary. If there is a recovery procedure, hackers might exploit it. (Or do we have to dial home to Master Microsoft first?) If there is no recovery procedure, then how can they honestly claim this is a benefit to the customer?
Me, I'd lay money on a handwaving answer... but it should be obvious, if you do it right.
Since it's a /. question, ask them if you can run Palladium on a Beowulf cluster!
I've been using Microsoft software since MS-DOS 2.0, and I also profit from the creation of copyrighted intellectual property. I think there is a definite need for some sort of DRM technology to ensure that unlicensed users are not able to view copyrighted content. However, I've heard of technologies like this, for instance, the protection system on the X-Box, are not "tough" enough and are being compromised by hackers intent on undermining the information economy. What is Microsoft doing to make sure that Palladium is completely unbreakable by these criminal elements, and what is Microsoft doing to lobby congress of the necessity of tougher laws against circumvention?
Why is all of this not just a really intricate dongle?
1) Given the legal convictions against MS, why should I trust MS?
2) In this global society do what support have you recived for this project from India, China, Peru, and others that can convince me that developing on this platform will be an opportunity?
I've tried to limit these to technical questions only. Some of these could fall more under the TCPA's stuff rather than M$s Palladium, but might be interesting to hear what they'll try and pull:
What kind of performance hit can users expect to have when using encrpytion/DRM? And can they provide any benchmarks to back up any claims?
How much hardware will have to be "upgraded" to work with Palladium-enabled software?
What is the expected lifespan of Palladium security? I'm talking about this rev, not any "future versions".
Speaking of security, what kinds of encryption are they going to be doing? IIRC, TCPA calls for both symmetric and public key encryption. Key lengths? Uniqueness of keys? Disposablibity of keys? Key storage by third parties for any reason? Proof of any of the above (particularly the last one)?
How can a user ascertain if their system is running in "trusted mode" or not? Is it technically possible for a "trusted mode" to be running without the user's knowledge or consent? And, of course, how would they prove it?
Do users have the ability to determine all that is running on their system in or out of "trusted mode"? Let alone control that?
I believe I read somewhere about Palladium being able to create "vaults". If so (and I just wasn't hallucinating. Again), can multiple "vaults" be created, or even nested? Again, does the user have the ability to easily determine and access all vaults? If not, why not?
Speaking as someone in academia, how will this affect those of us trying and developing software and even hardware (unfortuneately some of the tools I've personally used have required the use of Windows)?
...if they would consider replacing the BSOD with something entertaining. Maybe a series of pix of Jessica Alba in various states of undress.
I have a small business and write many of my applications because that way they fit my needs exactly. I also buy some and use open source applications as well.
Will small businesses which write their own apps be able to run them along with MS apps or other comercial apps without having to jump through hoops to get a certificate proving that the code we write ourselves is trustworthy?
-- Many men would appreciate a woman's mind more if they could fondle it
I don't know why people are so excited about Palladium. It can not function as they claim it. This is a fact, because nobody can ignore the reasons, at least not in this universe. I'm always under the impression that there are people who sell some highly speculative and esoteric garbage. They claim something that cannot work. And still there is applause for these people, for whatever reason. And if enough applause is around, everybody claps his hands, too, without knowing why. Anyway, Palladium will never do what it is claimed to do, it cannot function reliably and every child with a little skill in mathematics can find a proof for this fact. I will give this proof now.
Introduction
A computer is a formal system which you can analyze in various ways. Mathematics gives us nice measures to do it. These measures allow us to give predicates about ideas like Palladium without even knowing anything about their inner details.
If we assume a correctly functioning computer, this predicate is wrong. A computer is a system which can from its boot strap state reach only a finite number of states, while a Turing machine can reach an infinite number of states.
An ideal computer, which would have an infinite amount of memory, can emulate a Turing machine and is thus equivalent to a Turing machine.
This predicate is wrong. The finiteness of states a computer can reach is not disabled by the much larger finiteness of a network. Because the network, as opposed to the computer, grows over time, it can be seen as an unlimited amount of memory. You would just have to wait until someone, somewhere on the planet adds more memory to the network. However, this memory is over-directed and so the system is no longer deterministic. Therefore a computer with network connection is a non-deterministic system. Non-deterministic systems are not Turing machines. Any computer is deterministic if and only if the computer controls the network connection. This control is finite, because the computer has only a finite amount of states available. So a computer can still only reach a limited number of arbitrary states. That's why a computer is still no Turing machine.
This predicate is right. Since a Turing machine can emulate every deterministic computer, all limitations that are put on a Turing machine are also valid for the emulated computer.
A Turing machine is deterministic and is thus countable. Therefore it is imperfect as a formal system in the Goedel sense. Hint: In imperfect systems it is possible to pose a problem that cannot be solved within the system (e.g. the formula x*x = -1 in the real number system).
Based on these introductory insights a conclusion can be drawn now.
Evidence
This demand is legitimate. A security risk is, by definition, something that you cannot completely abandon. A computer connected to a network is non-determenistic and as such a security risk. A deterministic computer that does no longer react in a predictable way as soon as you connect it to a network is undoubtedly a security risk, because you can no longer tell what the computer does and why. Everyone should seek to avoid security risks with computers. Especially a platform that claims to make a computer more secure must be bound to this insight, otherwise it would increase the security risks instead of decreasing it.
This predicate is wrong. We assume that a computer does not work in a determenistic way with Palladium and it thus constitutes no Turing machine. On the other hand Palladium supervises the data processing inside the computer and cuts off certain states. Therefore the computer loses a lot of its possibly reachable states, that is the number of possible states becomes "even more finite" than it was before. If the computer remains deterministic, then the total number of states is lower than that of a computer without Palladium. For this reason a computer with Palladium is no Turing machine, either. (This is too bad. Would a computer with Palladium constitute a Turing machine that would be a direct proof that Palladium does nothing, because all Turing machines are principally equivalent).
This predicate is wrong. Either Palladium makes a computer insecure (see above: security risks) and will therefore not fullfill this claim, or Palladium is as a formal system imperfect by principle. Imperfectness in this case means that you can impose a request upon Palladium that it cannot fullfill, by principle. Since Palladium wants to give improved security, it either can not accomplish this claim or it has to limit the usage of the computer so that there is no way to use the machine for the broad number of tasks like before. The Goedelization in this case assures us that the limitations are by no means imposed on unwanted operations, which Palladium wants to prevent, but on wanted operations which Palladium permits (or even disres) for the user. It is irrelevant if I can now give a significant example for this or not. The fact is, simply put, that thanks to Goedel can construct such an example. That's why Palladium can again not fullfill its claim. The user is prevented from doing things that he is permitted to do due to Palladium, even though these operations are desirable.
The final conclusion will be drawn now
Conclusion
I assume that at Microsoft there are bright minded people who know enough about mathematics to not only be able to follow my implementations, but rather knew them long ago. I assume this because there's not much behind it. And therefore I assume that Microsoft knows that Palladium can not function in the way they claim.
Now that raises the question why Microsoft still propagates Palladium in the way they do? They should know that their claims are wrong. I see only two possible reasons for this riddle:
Either Microsoft wants to mock up activity in the security sector, which in reality doesn't exist and in such way gain market shares by marketing fluff.
Or Microsoft exactly knows that the computer will become completely uncontrollable with Palladium, because every networked computer with Palladium will work in a non-deterministic way. The non-determinism in this case helps specificially the one who controls Palladium, and this means Microsoft and Intel. But it will be exploited by hackers as well.
Since I make the assumption that the uprising damage from the second case would make an unrecoverable loss for the companies, I firmly believe that Palladium is marketing fluff. Professionals will turn off Palladium to have a (more) secure computer again. For consumer computers this might be a different case, but certainly no sysadmin is going to blindly accept an increased and easily avoided security risk.
Palladium most probably is nothing but marketing fluff without any backgroud - except moneymaking.
We shall not fear Palladium. If it was impossible to turn off Palladium, every computer's value would be zero if it was not connected to the net. And if it was connected to the net, it'd be completely indeterminate what the machines does. At least that's the consequence of Goedel's proposition of incompleteness.
Tino
Original text (german) can be found on: http://20k.de/postnuke/modules.php?op=modload&nam
Final word from the translator, ie. me: English is not my mother tongue.
Except that 95% of the things he listed I can do in Linux.
If Palladium is supposed to increase security by allowing only signed programs to execute, what keeps it from executing signed programs in a "bad" manner. For instance, IIS will be signed, and deltree.exe will be signed, what will keep IIS from executing deltree.exe c: in response to one of the many remote exploits in it. The same goes for Office scripts... Office will definitely be signed, so what makes sure that the code run by office will be secure? How about other interpreted languages?
If I have been able to see further than others, it is because I bought a pair of binoculars.
1. If I turn off Palladium, will I still be able to use all other processor features, or will half of my cache, for example, be reserved for Palladium-encrypted data?
2. If I turn off Palladium, how do I prove that it is off? I don't mean that my BIOS setup screen tells me it's off. I want real proof. After all, Palladium is supposed to be an impenetrable "data vault" that will kick data out of Palladium-protected memory if I try to use an untrusted program to access that memory. How, then, can I prove that Palladium is not active on my computer?
Put down the mouse Al. And the doughnut.
I would ask this:
Will it be possible for new peripheral devices, like disk players for Super Audio CD or DVD-Audio, to use Palladium to make sure that only "authorized" (by the drive manufacturer) software can read the data from the disk drive? I.e. will the drive firmware be able to use Palladium to get an attestation on the secure hash of the running software that is trying to access the drive?
This would end unauthorized ripping of data from these new formats, which would be tremendously valuable to the content companies. It is plausible that these companies would only allow their drives to go into computers if Palladium could provide this assurance. Therefore by providing this capability, Microsoft would make PCs more attractive and useful to consumers, sell more copies of Windows, and make more money.
Microsoft has both the incentive and the technological capability to do it. But they haven't said if they will, and none of their public discussion has touched this issue. Please ask them.
My question: What legal fundation gives any company - including Microsoft and Intel - the "authority of trust" for these plans?
What is the scope of this self-declared authority?
The USA? NAFTA? G7? NATO? UN?
Who grants or denies this authority? Who is the watchdog? What is the international protocol to apply these authorities?
Among the new great features: "and if you stop paying the rent, then not only does the software stop working but so may the files it created..."
Does MS and Intel really believes that any independent state will submit it's government IT infrastructure to such self-declared authorities?
Does MS and Intel really believe that the rest of the world is going to put up with such nazi, stalinist corporate aganda?
In your dreams, boys...
It's gonna be the kiss of death for Microsoft and Intel, the beginning of a new are when these two companies will become the most untrusted corporate entities outside the US.
Does Microsoft and Intel really believe that a world-wide industrial alliance could not produce microprocessor and software to completely bypass these two corporate-nazis?
Is how MS, the company that by virtue of its failure to recognize the security issues in the Exchange/Outlook/Outlook express situation literally caused the recent massive outbreaks of viruses, trojans, worms, etc. can look the rest of the world in the eye and claim to have a plan to solve all the problems with security. These security holes weren't accidental; they were caused by MS coders implementing an inherantly insecure idea. It was insecurity by design. What would make the rest of us believe that anything else they do wouldn't be just as outrageously flawed?
No one ever had to evacuate a city because the solar panels broke!
For God's sake. . . WHY?
KFG
Does all our base, in fact, belong to you?
For a moment, we'll assume that what Microsoft has said on Palladium thus far is truthful (big assumption I know). From what I've gathered, Palladium is just something that runs in addition to everything else. Linux, MP3s, and anything else that already exists will not be affected, they just won't use the palladium components, just as they don't use palladium components now. Palladium will probably start to be used in some future version of Windows Media Player with some new file format that requires authentication via Palladium. The old, non-Palladium formats will still function as before
Not to say all of this is insignificant. Really, Palladium is just the first step. The next step will be to legislate that only file formats that use Palladium (or the equivalent) are legal to posess. Palladium itself will not provide DRM, it will only give the framework to allow lawmakers to legislate DRM. Using older computers will not help if this is the case, since they will not play the newer formats and the older formats will be illegal. So Palladium still might have the same negative effects, just on a much longer timescales.
Then again, you can always keep the older formats, but it will be just another reason for the feds to come knocking on your door.
How are the drivers going to be handled? Will it be that it will allow only MS signed drivers to be installed?
"Do something man. Right now."
ask them how they plan to go about paying off senators to pass a law requiring everyone use palladium-chip based systems (i.e. a law saying it is illegal to run a computer without a palladium-chip)? What strategy of lobbying/bribes do they think will work best? Just old-fashioned payoffs, or do they have a more detailed bribery solution prepared? How long before MS thinks they will be able to pay off enough congresspeople to get such a law passed? How do the presenters of this Q&A session wake up in the morning and look at themselves in the mirror?
Q: "How do you sleep at night?"
Wah!
If it doesn't work, who is going to be repsonsible for replacing the 'broken' hardware and software? Who's going to have to bear the costs? If a large company upgrades all their PCs to Palladium-enabled machines, and there's some flaw in the hardware, are they going to have to effectively repurchase the systems, or will Microsoft/hardware vendor foot the bill?
(This was mentioned as part of another post, but I'm going to paraphrase it here.)
Microsoft has been ruled a monopoly in federal court for unfair practices by bundling it's software with its OS. What firm assurance (not a EULA or other agreement that includes a provision for retroactively applying changes) is Microsoft offering that they won't use the Palladium capabilities to pursue this same line?
On a tangential note, does anyone know if they are planning to do something like this at any other colleges/universities? I'd like to see this sort of lecture at my college.
This has been a test. Had this been a real emergency, we would have fled in terror and you would not have been informed.
"we arent doing this for US. we are doing it as a service to our customers. O:-) even though its obvious OUR CUSTOMERS DONT WANT THIS TECHNOLOGY, they are idiots and we know whats good for them."
the same way they bundled IE with windows FREE out of the goodness of their hearts.
Comment removed based on user account deletion
silver comes after palladium?
but seriously, why would they even stop there? if people actually accept this nonsense, Microsoft will keep moving in whatever direction they see the most money in. If that means controlling the computer usage of 90%+ of the first world, then so be it. (Honestly, i think i'd quit after my first $60 billion).
1) a) How will one be able to turn off Palladium? (Suggestion: a physical switch, that is accessible from the outside of the case, for non-techies to use; also, this way it cannot in any way be remotely turned off) b) How will we be SURE that it is off? 2) a) Assuming that Palladium can be turned off, will the system work as though it were a normal system today? (I.E.- no Palladium) b) If the answer to 2a is no, then why? 3) How will everyone be SURE that Palladium will be able to run any OS, not just a Microsoft OS, and what will it take for an OS to be put on the "allowed" list? 4) Will Palladium have a time-out date after which someone will have to pay a new fee, or risk lock-out/deletion of their data? 5) What guarantee will the public have that Palladium won't lock out anything that Microsoft doesn't want run, and how will the public be able to file a complaint, and have it dealt with, for sure? 6) Will Palladium authentication of a program be free, by the creator of the program, so that it can run under Palladium?
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
This shows how evil M$ is they want to run the Market. M$ cannot win the market by playing fair because there OS sucks and .Not is a big failure so now they want to lock down the consumer. Well Linux and Java will bring this to a stop.Arrogance makes every ones downfall.... Billy pee's in his pants every day thinking Linux will take over windoze.
They want to hear "technical" questions? How about political questions? How about ethical questions? How about legal questions? I don't suppose they're prepared for that are they. They explicitely state that they're not. They want technical questions.
Q: "How does Palladium work?"
A: "Great question, Spanky! Let me tell you..."
Q: "Will it run on Windows?"
A: "Great question, Pookums! Yes!"
Q: "Do you have slack?"
A: "Great question, dude with the nipple rings! Huh?"
--Lawrence Lessig for Congress!
Content.
IMO it's a similar situation to DVD region coding. Consumers never wanted it, but the big studios wouldn't put stuff on DVD unless it was protected, so the electronics companies had to agree to it, and if we wanted to use DVD we had to as well. Which many did. If M$ can make a must-have Palladium app (probably business- rather than consumer-targetted), then you'd be surprised how many go for it.
Of course, the DVD protection was broken: player makers turned a blind eye to region mods, or even quietly introduced them themselves; and similar hacks became available for many DVD-RAM drives. Nevertheless, region coding still exerts a good deal of control over the DVD markets, and causes many consumers great inconvenience. And the same will happen with Palladium: if it becomes widespread and desirable, then someone is bound to crack it. But that won't stop it from causing untold pain and misery.
Ceterum censeo subscriptionem esse delendam.
How can you ethically work on this?
Seriously. Make the speaker think about what they're doing and realize that their actions have consequences.
Print out all of the good slashdot questions(anything +3) on computer paper and ask him them.
"Palladium will greatly reduce the risk of many viruses and spyware -- software that captures and reports information from inside your PC -- and other attacks. Memory in Palladium PCs and other devices will run only 'trusted' code"
j ul02/07-01palladium.asp
thats taken directly from http://www.microsoft.com/presspass/features/2002/
this is some scary shit. i see it as a direct attack on open source software. only code approved by m$ will run on your new pc? wtmf?
The class website is here, and this page gives information on the lecture.
No, I'm not karma-whoring. This is useful information, if you plan on asking questions other than "MS sucks, don't you think?"
Scroll down on the lecture page to "Lecture 12", and take a look at the background reading on Palladium. Gives you an idea of what the students will (should) know before asking questions, and as thus it might be useful in this forum, too.
There is no sig, there is only Zuul.
What kind of easter eggs can we expect in Palladium, and will there be an opportunity to submit suggestions? If so, I would really like to see at least one of the following easter eggs somewhere in there:
- a screen pic of grub boot screen on an Xbox when one types in "ctrl-alt-d-r-m-stupid"
- that silly Balmer monkey video when one types "ctrl-esc-D-C-M-A-microsoft-way"
- an apple "switch" video, any one will do, when one types in "f1-palladium-ctrl-sucks"
Real men don't need signitures!!!
Phrase it this way: "Microsoft knows all too well that MP3 is the prefered mass-market technology for music distribution and DivX is the equivalent for movies. With this in mind, why does Microsoft insist on supporting digital rights management rather than support market-proven technologies which the vast majority of its customers are comfortable with?"
If you feel the need to jab them a bit you can add as small semi-asides stuff like:
"Does Microsoft feel some sort of moral obligation to not support open technologies that the public currently users?"
"Does Microsoft feel that what benefits the content producers benefits consumers?" (When all good capitalists know it's the other way around because a company can't survive without satisfying its customers)
"Does Microsoft feel that the user experience is enhanced by limiting the choices of its users?"
Or if you just feel like making a political statement you can ask, "Does Microsoft value the relationship its trying to build with content producers more than its relationship with its users who it is restricting via DRM?"
I think this should be treated the same as any invitation to submit questions to an interviewee.
MS, in this case.
It's disappointing to see the flamage herein. Yep, Slashdot may be homogenizing, as some have asserted - becoming bland, grey, doubleplusungood sameness in all directions. Personified by Prolific Puking Proselytizing Punks!?!
Yet ---- on the flip side, there are too many superficial questions asked, which by their phrasing or their supposed "subtlety" or "indirection" will somehow be "sprung" upon the erstwhile MS drones standing under the bright lights.
Sigh.
This is a very rare opportunity, if indeed someone will represent "our" interests at this forum (and assuming the chance to speak).
We should be asking all the questions that have come up before, but that have not yet been answered: in Salon by Bruce Perens ('Perens is convinced that Palladium will let Microsoft decide which applications can run on a machine and which are simply too unsafe for public consumption -- such as programs written by open-source hackers. Perens even thinks that's the point of Palladium: "It's designed to kill off open-source development."') and in Dan Gillmor ("Microsoft has launched its Palladium initiative, a hardware-software system designed to make computing more secure from viruses and malevolent hackers. Palladium, unfortunately, could also be used by intellectual-property owners to lock down copyrighted materials in ways that would damage users' rights. Critics have also suggested that Palladium could be used to freeze out open source software -- and they make a compelling case.")
A few example questions:
What is Microsoft's response to Cringely's allegation that data will no longer be "permanently readable" - a characteristic of computing that is taken for granted today?
What is Microsoft's position today on this issue?
Is this DRM part of (or related to) Palladium? In any event, what recourse will users have when (if) their existing software ceases to function as a result of these new "features"?
Search Google, read all the material, find the unanswered questions - and it won't matter that Microsoft sees this slashdot thread. Ask the questions that MS knows about, but has not been able or willing to answer...
Redundancy is good; triple redundancy is twice as good! - Me.
then the question is "Why hasn't Microsoft taken a little time to fix the 640k problem?" but before they can speak you need to add "no that ISN'T a fix!" Cheers!
How will palladium handle interpreted code, assuming the interpreter itself is allowed to run. It seems like it could be a simple circumvention.
My question would be:
"GIven that Microsoft has been found guilty in the court of law in its anti-trust case, and just looking at Microsoft's history, why should consumers trust you now?"
John
What questions go unanswered?
"Do you think you have the smartest people in the world working at Microsoft? If not, then surely this attempt at making a Wintel machine secure will fail. And if you do have the smartest people working there, then why did the Xbox (and Xbox 1.1) get hacked?"
I wish I could be there to see this lecture, but I'm afraid I'm a thousand miles from Cambridge and it's been a few years since I've sat in 6-120.. enjoy it while you can!
Any suggestions from the Slashdot crowd?
Why?
Being that the driving force behind the wide acceptance of every new piece of technology in the history of mankind has been the huge unacknowledged market for pornography, which marketing genius thought that the consumer would take home any hardware that was going to have the stink of Big Judgemental Brother on it?
If Slashdot were chemistry it would look like this:Cadaverine
how will microsoft create a business model from this?... so many have had problems with creating business models with these ideas, how is microsoft different?
If you accept that the copyright holders have the right to make their copyrighted materials "uncopyable", then DRM is a god solution up front. But how will Microsoft's Pal.ladium initiative, or any other DRM scheme, handle the expiration of copyrights? For example, I might not be able to copy Steamboat Willie today, but suppose the Supreme Court strikes down the latest copyright extension thrusting Willie into the Public Domain. Would Palladium allow me to then do as I please with the flick sincle DRM would no longer apply?
Like this wasn't a ruse to let Microsoft prepare for these types of questions. Theres a team of PR coonies writing responses to anything the Slashdot community can think as we post.
Ask if Palladium will use more than two of the four available privilege levels, or 'rings' for Pentium processors.
WinXP only uses two levels - so any device driver can modify the kernel at will. Implementing additional levels can mitigate that.
What changes in the underlying Intel architecture (IA32 or IA64) are required to support Palladium?
Or will will a current generation Pentium support Palladium with auxilliary co-processors?
Question: What if the terrorists ram a Boeing 747 into Microsoft database server which stores the keys? Will all the machines in the world be useless and mountain afghans rule the world?
There is no reason you couldn't write an open source browser or office suite and have it run on a palladium system. The reason why there have been murmurs of a possible palladium/OSS conflict only apply to a certain type of program, specifically that which uses palladium/tcpa's "security" features.
;) )
Picture an open source media player. As it stands, xmms could be run on a palladium system and the oss model would work fine. It would play oggs ripped from your own personal cd collection and any company that takes the source, modifies it, and distributes a binary would have to release the source back to the community. No problem.
Now let's say a company takes the xmms source, adds support for drm-infested media, and releases a binary that's been digitally signed by MS, meaning that MS has examined the source and seen that it will not ever expose unencrypted, drm'd data to user access. It still plays oggs (they haven't removed that feature yet), but here's what happens when you try to connect to Disney's server to upload your credit card data and download Mickey Mouse 2010 (subtitile: Yes, we still have the copyright):
1. Disney queries your machine for it's unique ID (yes, all PCs must have them for the system to work).
2. Upon verification that the unique ID is a valid one from the central unique ID database, it asks your system for a signed, timestamped, digitally signed (by the TPM [trusted platform module) message saying that your system is running a drm-compliant OS.
3. If it gets an affirmative answer back, it queries the OS as to whether the app is digitally signed by MS. I'm not familiar with the system that will be used in this case, but I think identd would be an accurate model (i.e. "Is the app connecting from port xxxx on your machine to port yyyy on my machine digitally signed?").
4. If it gets an affirmative answer back, the server will then send content encrypted with the platform's public key (not the "unique ID" key, that one is a single purpose sign-only).
5. xmms, upon receipt of the data, plays it back according to the drm rules.
Now, imagine you want to modify the new xmms sources (that include drm support) to play a new audio format or to add a media manager function (or whatever). You still have free access to the sources, but once you modify and compile them, you get an unsigned binary out of your compiler. It still plays oggs, but when you try to buy a movie from Disney, the OS responds (in step 4 above) with a negative answer.
"No, the binary making that connection is NOT signed."
The result is that Disney will not send data to that app. I'll get the obvious question answered right now:
Q: What if you modify your OS to respond to all step 3-4 "is xyz app signed?" questions with a "yes" answer? Couldn't you break the system that way?
A: No. The authentication process would fail on step #2 above because your recompiled kernel wouldn't be signed so the TPM on your motherboard would refuse to vouch for it.
What does this mean for OSS? Well, not much. Open-source, non-pd/tcpa software won't be affected at all. OSS that does "handle" secure content as one of its main functions would be affected - you wouldn't be able to fork it unless you wanted to pay MS for a digital signature on every release to you want the pd/tcpa portions to keep working. In a nutshell, only the portions of OSS that normally depend on pd/tcpa would be nonfunctional.
So why is palladium/tcpa still a big problem? Well, a couple of reasons, but first, more Q&A.
Q: What if I were to physically crack open my trusted platform module and extract its private encryption and sign-only authentication keys.
A: You would have broken palladium/tcpa security.
Q: What if I were to replace my core root of trust for measurement (CRTM, aka my BIOS) with one that always reports the system is booting in a "secure state" to the TPM?
A: You would have broken palladium/tcpa security.
Q: What if I find a buffer overflow or other bug in a signed application (e.g. windows media player) that allows me to execute arbitrary code as that process?
A: You would have broken palladium/tcpa security.
Q: What if I find a buffer overflow or other bug in the OS or a signed driver that allows me to execute arbitrary code as the OS kernel?
A: You would have broken palladium/tcpa security.
I don't mean to make it sound easy - tcpa is designed to place these activities beyond the means of the average script kiddie. However, they are all very real valid security problems that palladium/tcpa _will never be able to solve_, specifically because of the nature of cryptography, mass-produced hardware, and information itself. I guess you could say that information really does "want to be free".
(Note to grammar nazis: Yes. I'm aware I put the period outside the quotation marks. I did this because I believe it enhances the readability of printed english. Putting the terminating semicolon from a line of C code inside the quotes around a quoted string just doesn't make logical sense. However, any its/it's, there/their/they're, or other stupid mistakes that detract from my ability to communicate clearly are fair game.
So why is it such a bad idea? Because people think it will work. The latest issue of PC World (November [?] 2002) features an ad from IBM touting the advantages of the latest Intel Pentium 4 processor's LaGrand Technology. If I could find it I'd post the page number, but if you look through the issue it's on the left side somewhere in the middle-ish section. It promises freedom from viruses and a more secure operating system. I think it promises completely secure e-commerce as well. The average PC World readers are going to read this and their eyes are going to pop out of their heads. "Really? No more viruses? No more trojans? Secure e-commerce? How wonderful!" When online companies start pushing "secure" online movie rentals (broadband only, some restrictions may apply, void where prohibited, etc...) the ones surviving heart failure will scramble to buy new pcs with this LaGrand Technology (or amd's equivalent). After all, who wouldn't want a virus-free secure PC that does new and exciting things?
Nevermind that the reason 99.999% of the computer-using public have to even think about viruses is because outlook is so incredibly insecure. Nevermind that the only things stopping global availability of secure online shopping are the certificate authorities' greed and US crypto export laws*. Nevermind that online movie rentals will most definitely not take off soon considering how much bandwidth is available to home users even with broadband. (Yes, you may have 2mbit cable, but what's going to happen when a large enough percentage of friday night movie watchers decide to download and cable companies are overselling their last mile _and_ backbone bandwidth at a ratio of 50 to 1?) Nevermind that LaGrande Technology is designed to be the cpu-side hardware support for tcpa/palladium which is already flawed. I'm not saying that IBM won't be able to make good on their promises of perfect security and a virus-free environment (that's a separate debate) - I'm saying that they're pushing a unique PC ID and Digital Restrictions Mechanisms into every home in trying to do it.
(* Yes, I'm aware that you can get strong ssl encryption in linux outside the US. Here I'm referring to windows, a product from a commercial entity that has at least a slight interest in pretending they obey US law.)
So that's how it's going to get into homes and businesses. What harm is it going to do once it gets there? Well, just because it's going to be hopelessly inadequate when it comes to serving its intended purpose of stopping online piracy of digital media doesn't mean that it won't restrict fair use rights. Sure, anyone can use a cracked pd/tcpa box to download a film from disney and then distribute it online, but if Joe user can't rip his legally purchased CD and send it to his car stereo because of draconian DRM code, that's a problem. And that's only the copyright/fair use side of the issue. What about security? What happens when a certain OS vendor, with complete confidence in its supremely planned but critically flawed transition element, starts getting lax on security and starts depending on pd/tcpa keep everything together? Even worse security holes than we've seen before due to inattention to important detail and (at least) internal code review.
I hope you see what I'm talking about now. The worst possible outcome is not that palladium/tcpa will progress as planned (which violates the "possible" part). It's that it will approach an uneducated public and fail miserably.
Are you a paying member of the eff yet?
I'm sure that the MS rep will deny that it will keep other OS's from being installed. What I want is a public admission that it will make it possible for preinstalled software to require authorization from someone other than the owner of the machine before blowing it away and replacing it with something else.
It seems obvious to me that for Palladium to really have the qualities they imply it will have, that it will have to support this sort of lockout functionality.
This could lead to some fun followup questions such as: "if some virus/trojan/malware defeats the security of the installed Palladium executive, could it then lock everything down and turn the computer into a boat anchor permanently?"
Why they are helping to make the PC a PERSONAL SPY PORTAL for industry and government? And why they think that everyone is so stupid as not to see through their evil and greed? And why does their software suck so bad?
What are the end user's benefeits when it comes to using DRM software/hardware? I know the RIAA/MPAA (evil companies) will use this to exploit the copy-our-data-and-die policy, but what is the main incentive to switch to Palladium?
From what I hear (and that's not very much), there is no performance boost, data optimizations, or even space-saving when incorporating this technology. Seems like MS is trying to pull a fast one on the end user with ho-hum examples of why Palladium is beneficial to them/us/me.
Another one: Who is the target audience for Palladium? Surely not everyone will want a chip telling them what they can and cannot listen to/watch/execute. Knowing who the target audience is better prepares them for trickery since they know it might be coming at any time.
I'm ill-informed, so if my questions sound stupid, feel free to reply.
Will Palladium feature the original, "classic" BSOD, or will it get a new, innovative color like the X-Box did with its Green Screen of Death?
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Why? Is it really needed?
Micro$oft sucks! Down with Micro$oft!
How does the consumer benefit from having their privacy stripped from them?
What will Microsoft do to ensure that consumers fully understand the contents of the EULA before purchasing Windows and inadvertantly agreeing to it?
Will the Palladium box have a picture of Thomas Jefferson with a giant red X through his head?
Will your Palladium software have any bugs in it?
Is it just coincidence that Palladium sound alot like "Played You?" That seems to be something Microsoft likes to do alot...
Since "Palladium" works on the hardware level, what say do other Intel based operating system "makers" ( Linux, FreeBSD, HURD, Solaris ) have in this "standard". If they do not have any say, what support is Microsoft, and the hardware vendors, going to give these operating system so they can continue to work on these new PC motherboards or devices.
What do you give Steve Ballmer(sp??) when he jumps around on stage and does his monkey dance?
Ravers want to know!!!
Imagine a beo.... ah, nevermind.
I can see the good points about how palladium will protect a lot of users from malicious code with digital signatures, but does that also mean that a software developer will have to get his software digitally signed before it can be tested, and will it have to be resigned after each and every compilation change? If so, palladium will be as popular as intel's processor serial number
In Soviet Russia, the monkey spanks you!
Question 2: why is he reading my hard drive?
there's no place like ~
When pc manufacturers decide they don't want to offer Palladium on their new systems, how will you force them into agreement???
Self-realization. I was thinking of the immortal words of Socrates, who said: I drank what?
Paladium is simply a solution to a problem Microsoft caused in the first place.
-- A cat is no trade for integrity!
I would ask What about thiings that are in the public domain, like The King James Bible, or Music that my kids write (ok, you might want to change that to I write)? Will Palladium prevent me from shairing these things? Or do I have to leave the Palladium environment to do so?
1. What special networking services are going to be in play to keep everything in check (if any).
2. Will there be special ports left open (incoming or outgoing) for over-the-Internet verification or security checking purposes?
3. Will there be any detrimental effects for a Palladium machine that has no Internet connection?
4. Is it possible for the hardware solutions to be emulated with a mod chip/chips?
5. If Palladium is disabled to get around a problem, what happens if it is later re-enabled?
6. If using a Palladium machine to develop software, is it possible that some code will not run because of a Palladium restriction?
7. Is Bill Gates really Borg?
Comment removed based on user account deletion
It will be just as big a hit as their BOB OS.. I'll bet APPLE is just waiting for them to put this bullet into their head...wait, I can't wait! This is just the thing Lindows and Apple and Linux NEED, funny that they destroy themselves.
Counterpoints.
Typically you'd rather lose data on an encrypted disk than risk it being compromised. Key recovery and key escrow go directly against this. Replacing mathimatically proven security for a human trust form of security = Bad idea.
As for storing a CC number on your computer and only allowing trusted wallet applications to access it. Sure, its rather stupid to store stuff like that on your computer. However you are far more likely to get it stolen from the other end. The server is known to have them and has a lot more than some random computer. I'm also not convinced that this system makes your data any more secure than an entirely software solution using encryption.
Finally, if you want to prevent a computer from booting if tampered with. It is pretty easy to boot from a write protected floppy. Put whatever verification you want on that.
Perhaps there might be some good uses for this technology, but I'd rather try to make esisting technology work than be forced to give up the control that MS/RIAA/MPAA want.
It's cool you're asking for all our questions, but are you going to post the answers?
A simple and direct question would be "What technical measures in the Palladium architecture prevent a software emulator from masquerading as a trusted component?"
All digital security is based upon two critical questions: Where is the secret, and how long will it stay secret?
In the realm of 'secure' web servers the secrets are contained within a box that only (er.. hopefully) provides limited access to a HTTP protocol through two thin threads of fiber. Everything else is protected by a brick wall and watched by an underpaid security guard. The secret is on the hard drive in the machine, and the physical security and/or software correctness determine how long it will stay secret.
In the realm of Palladium there is a secret within your PC, and the question on everyone's mind here is how long will it stay secret. Every white paper I have read on Palladium indicates its an open architecture that will be sufficiently documented to allow anyone to develop for it. This simply will NOT work. If the all information is public (i.e. no hidden secret) then there is nothing stopping someone from creating an emulator, and there is no guarantee that an emulator will enforce the security policy the way Microsoft demands it should be.
If VMWare incorporates an 'mistrusted CPU' or a 'Fritz on the Fritz' virtual component that cannot be distinguished via software from the real component how on earth will Palladium offer us any additional security or safety?
Are they gonna make one too? Will MS release the code to them? Will MS release code so some stuff can run on linux? And if so, will it be open source?
Why is that everytime I see Win32 I think virus?
If I see Win64 I think High Tech Virus.
Except of course it wasn't ill fated at all. When the public outcry came along, the allowed the BIOS makers to put in an option to supress it. And they all did. For a time.
Got some Thinkpads a few months ago and guess what? The option is GONE. They win, we lose.
Expect the same tactics again. In the beginning it will be optional but it won't stay that way long.
Democrat delenda est
I agree, MS employs a lot of smart folk who do good architecture & design work. The area they usually fall down in is execution (coding), sometimes due to market demands, fiscal constraints, and the like.
I'd be much more interested in a removable key system, say a USB storage device that fits on a keyring (what you have), and perhaps a password (what you know) to secure my sensitive data. A centralized scheme is too ripe for abuse, and to make it less so would only produce a underfunded mess (much like the US Govt or VeriSign is now).
I think one good question is:
How does MS plan to make money off Palladium?
There's obviously the patents and the proprietary source code, but where's the "value" to buyers?
One way is to lock up content (enforcing intellectual property laws). Another is to lock up systems (enforcing software copyrights and security policies). But neither of these brings any value to the buyer, other than offering some level comfort that they're not breaking laws.
I guess it's just to help businesses do business. And since businesses are the largest buyers of computers, it will do well. However, if you're not a business, you just get to foot the bill.
Typically you'd rather lose data on an encrypted disk than risk it being compromised. Key recovery and key escrow go directly against this. Replacing mathimatically proven security for a human trust form of security = Bad idea.
You sound an awful lot like Bruce didfive years ago before he got a clue and wrote secrets and lies which is all about why mathematically perfect systems are not what people want. BTW the main objection to Palladium is that it may not work if it is too perfect.
I sell key recovery systems, all my customers disagree. There are very few companies who would like to loose their accounts (other than those run by close supporters of George W Bush). If there were no demand for key recovery I would not sell it.
As for storing a CC number on your computer and only allowing trusted wallet applications to access it. Sure, its rather stupid to store stuff like that on your computer. However you are far more likely to get it stolen from the other end.
Not so, we can encrypt the cc number so that it is never known to the merchant (apart from the last four digits). SET did this years ago, it failled in part because of complexity but also because of the store on the PC issue.
Finally, if you want to prevent a computer from booting if tampered with. It is pretty easy to boot from a write protected floppy. Put whatever verification you want on that.
That is not particularly practical and not particularly secure either. Unless you can put the whole TCB onto a floppy (hint you can't get much of UNIX onto a floppy) then the attacker can compromise other system files and you are toast.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
What will a total restore look like under DRM? (EG: Now, just re-install everything. Under DRM, will software have to be re-authorized for the new install?)
What will a hardware migration look like? (Now, just re-load software, restore data. Under DRM, how will that affect data?)
What happens if a software vender requiring authorization after a reload goes out of business? How can the software be brought back into use without authorization keys?
When current applications go end of life, how will data from those old applications be accessed in archival mode? (Think IRS audit six years from today, and you are using, say, Quick Books.) How will all this be affected with XP goes End of Life?
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Under DRM crap systems like trillian wouldnt work.
We will be forced to use 15 different media players and 20 different im mediums, and good luck getting legitimate p2p applications signed.
or when in an effort to reduce piracy ms releases a ftp client as part of windows. then says in order to protect its copyright other ftp program cannot be signed as they're unsafe to drm.
palladium is microsofts wet dream. I highly doubt the general consumer will swollow this tripe.
So yea. thats all good but what i REALLY dont get is what's in it for intel/amd to support this drm bs.
they've both said they would support it but why why why.
Currently the biggest sellers of hardware is for multimedia... think home-brew dvr/pvrs from sony. The general public has clearly said and made crystal clear it doesnt see sharing music online as piracy. Most people who download/test out songs arent burning discs. I personally still know tons of people who mp3 to find new content without the ad-ware low quality crap of radio. Then they just go out an buy the cd for their cars or home stereos where the quality of mp3 is really actually noticible.
It all seems to be contrary to what the public wants and is willing to pay for. Currently piracy INCREASES hardware sales dramatically.
Now thats bad for ms/hollywood but whats in it for intel to play dirty pool with its comsumers... someone explain to me and the shareholders of intel/amd what the hell they're thinking supporting this drm bs.
I would ask how they believe palladium will affect the general trend of media/software companies being more and more restrictive with their IP licensing? Who ever asks this question should probably be prepared with some statistics on this which I'm sure is out there some where.
I wonder if open source will be able to exploit it (not that anyone would want to)? If not, then what makes them think it will ever go anywhere? Force it upon us by law?
"Who the hell are you and why am I only wearing underpants?"
Why are you people doing everything you can dream of to COMPLETELY DESTROY creativity and electronic freedom?
I want to know what assurances there are, beyond verbal promises, that consumers' and citizens' rights won't be taken advantage of by large corporations behind Palladium.
Table-ized A.I.
If I understand correctly, Palladium checks the integrity of a program "down to a single bit" and will not allow the program to run if a single bit is different from what it expects.
What happens if a sector on the hard drive becomes corrupted? Whereas most programs will presently continue to run with a small amount of corruption (at least well enough to retrieve data), under Palladium would it not fail to load entirely? In other words, the most minor data corruptions become catastrophic failures.
Would it be necessary to reinstall the software entirely in order to run it under Palladium?
What effect will this have on people who want to run multiple OS's (let's just say for lack of argument, OS/2, or older versions of Windows... BeOS, linux doesn't even NEED to fit the picture here...)? Would this cause problems for re-installs, re-formats, etc. (What effect will this have on the frequency of re-installing?) How will this help the growth of private building of systems, existing hardware, hobbyist usage of BASIC stamp kits, etc.? need i go on? Why should manufacturers of various computer components/accesories follow suit?
This useless space for sale, inquire at front desk.
I wonder if they have guys reading all these posts, and preparing answers as we speak?
I'd like to hear more about Microsoft's claim that Palladium can't be used for copy protection of software. What about the idea of sealing (encrypting) part of the program using Palladium, loading it into secure memory, decrypting it and then running it? That would seem to allow for program code to be locked to a given computer, which is the essence of copy protection.
Yet Microsoft claims that Palladium won't facilitate copy protection. Is there some specific technical reason why this scenario won't work? Or does Microsoft just mean that they don't plan to use this method at present?
How will I get my cryptographic keys out of my old computer and into a new one securely? Will I be able to do this myself, without an Internet connection? If not, who will handle key escrow, and how can I trust them? Wouldn't key transfer be a weak link in the chain? Wouldn't this effectively require me to register all new computer purchases with a central registrar?
Here's an exchange that will open the audience' ears.
Q.) "Suppose I boot my computer with a non-Microsoft, non-Palladium operating system.. such as Linux or BSD or Plan9. Will I be locked out of all my Palladium multimedia, software, and documents?"
expected BS: A.) "Well, the idea of Palladium is to create a trusted platform for all data exchange, so each part of the computer needs to cooperate for this to work. I can't say for sure how other operating systems will fall into this picture."
FollowUp Q.) So what you're saying is that any software which does not or can not cooperate with Microsoft Palladium will be locked out of certain media and documents?
A.) some form of 'yes'
80 % of music ,tv and movies are sh!t.
the computer industry has to be remade into a borg
entity so the content industry can force feed
the masses their circuses so they can continue to
amass obscene amount of bread.
Krapppp !!!!
How will paladium affect computers and OS in other countries? I'm from sweden and the prospect of living with US laws (DRM, CARP, DMCA, etc) isn't a very compelling idea.
Will we (non US) be unaffected by paladium? If so, how?
I know a lot of ideas have already been tossed around, but here a couple more...
As much as I get annoyed with the fact that my windows installation seems to need a new security patch every week, it's a distinct advantage of a software system that it can be updated so quickly and easily. What will happen if (or when) a bug is found in the hardware part of Palladium? Will there be something to the extent of a bios update? Will there be a software work around? Will people have to go out and get a new chip (and if so, what happens to those who don't do it as quickly as others).
I don't know if you want to find out the answer to this one, but let's assume that a Palladium system can prevent digital copying 100% of the time on signed media that they don't want copying. What's to stop someone from doing something as simple as connecting a tape recorder or VCR to an A/V connection and thereby making an "unsigned" copy of the media to be distributed on your peer to peer network of choice? The answer I see could be nothing (which would undermine the ability to actually manage digital rights) or that Palladium my cut out A/V (or other) devices, which I would find VERY scary.
What would the exact criteria be for getting programs or code to be certified "Palladium Compliant". For example, let's say I work for a bank that has online banking software, and we find a hole or bug that MUST be fixed. Would every iteration of code have to be sent to MS or some third party for 'approval'. Also, not to be cynical, but if MS is the one doing quality control, how do they respond to the fact that some of their products are just a tad lacking in quality of code?
Finally, if someone were to hack a Palladium signature, and potentially shut down, control, erase, etc. a users machine, what would type of recovery procedures would there be (or even controls to ensure that a signed program isn't doing something it shouldn't be).
If processes are given a private place where they can do what they want without being observed, whats to stop those processes from doing things we don't want them to?
What's to stop the manufacturer of our favorite program from using our CPU cycles for their favorite distributed computing project? If we don't know what a process is doing, how can we police it?
Network traffic is a little easier to police, but what is to stop a process from using my bandwidth to create a swarm network for a its own purposes?
What about my hard drive as a mass storage device?
I'd like to know if Pd allows the content created by users to be protected?
Or will all my digital photo belong to Disney et al. :(
when their history shows a company that cannot
be trusted.
They were convicted of breaking the law.
they just ran a phony promotion about swithcing to
xp from apple.
They will design "trust worthy" computing.
Is this some kind of sad joke?
Yes, we read slashdot. So much so, that the proxy IP has been banned by slashdot every now and then.
(Interestingly, when they banned the proxy IP, http://slashdot.org gave us the "you are banned" page, but http://slashdot.org/index.pl worked just fine.)
Here are some questions you might want to ask these guys:
1. Will American government agencies (eg. FBI, CIA, NSA) have access to the data gathered by
Palladium?
1.1 If 'no': WHO will have access to the gathered data?
2. Has Microsoft considered that the rest of the world might go their own way when it comes to
OS and software?
3. Why does Microsoft have the right to poke around inside a person's private property?
If they say something like they have the right to do it because you might have illegal copies
of software they own, then ask one of the two questions below:
3.1 Is it okay if local store owners in Redmond break into Bill Gates' home a
little bit now and then, just to check if Bill has some of the stolen items
originating from their stores?
3.2 Would you accept video cameras in your house that's controlled by the police?
After all, you might be a thief and keep stolen goods in your home...
But you missed the point of the original post. It isn't that you can't do 95% of those things in Linux (I actually do) it is that MOST people would not find doing it very easy. For those people (the majority of the market) Windows makes those things easy. Until we get Linux to the same point of ease Windows will continue to dominate the market.
I suggest a simple, direct question:
By introducing Palladium, you're asking most personal computer users to bank on a complex new system that will restrict what they can do with their computers. This is a substantial implementation effort; it's not clear that it will succeed in practice; and there are many design decisions to be made that will have a profound effect on user freedom and on the entire media industry. Now, you're telling us that you, Microsoft, are the one to do it.
Why should we trust you?
There are two parts: why should we trust you to be competent? And why should we trust you to be ethical? (That is, why would anyone expect you to make design decisions that will truly benefit everyone?)
If i can listen to it, it can be copied. If i can see it, it can be copied.
There is NO WAY to keep people from recording audio and visual data that is meant to be viewed. if we can see it, we can copy it.
if that's the case, what's the point behind protecting audio and video data, as it will be copied anyway.
or you could ask them
will i still be able to listen to my cd's without having to carry my cd's with me? will i be able to listen to 20GB of mp3's on my iPod if i own a new DRM machine?
if i can't, why would i want to buy one?
or ask them
why are companies so interested in chaining people to their desktops? the ability to space shift media is key to a computer's use, why limit that?
So, will Palladium be extended to mobile platforms such as the Pocket PC, cell phones, toasters, etc?
Will the specs be given out to other hardware manufacturers to implement for their own devices, or will Microsoft have a monopoly on secure hardware?
Will the .NET Compact Framework support Palladium?
Well, if this gets going any more seriously than it is already, I think we will be seeing marches on Washington. At least I will!!!! This might sounds corny, but the answer to such questions is to look at biologoy as the answer to our problems. Biology says that every piece of information is on its own. The problem is that we are a society that wants to charge for information. We cannot do this, we can only charge on the operations we do on tha information, and cannot hope to take the amount of money it will take to make a society that has a central system. Just not feasable! Sigh....Microsoft, your days are numbered. If you do do not watch out, people will start taking these issues very seriously and to congress!
http://www.cbsnews.com/stories/2002/06/25/tech/mai n513342.shtml
:)
and like Athena, Palladium will fail to protect the data within.
"Why does Palladium suck ass?"
.Z
No beowolf here
Since it seems the majority of slashdots audience is 13 year olds.... If you want to make them sweat, ask the questions that are going to hurt the most. The General ones are too easy, you want to reinforce the pain with direct evidence as to their incompetance. I think I have a batch that will make them squeam in pain and potentially give the poor representative a heart attack. 1: If Microsoft is going to implement any autonomous updating mechanisms in Palladium or any future operating system, will those autoupdating mechanisms be protected against the attacks that, for example, allowed the virus, Nimda, to slip into a help file in the korean release of .net, or allowed previous viruses to slip into updates Microsoft publicly released? If Microsoft was hacked and someone was able to execute a DDOS attack with however many millions of PC's a Micrsoft had autoupdated, what kinds of recovery mechanisms and schemes would be in place to recover from such of a disaster? And finally, would these recovery mechanisms include saving a users data if the virus hadn't already wiped it out?
-To give them a heart attack. Point out the biggest, baddest, most major flaw in their system that can indeed be exploited.
2: If Microsoft is to compete with linux and other open-source operating systems, what portions of code would microsoft be willing to release to the public so modifications of the operating system would be possible?
-To catch them completly off guard.
3: Will there be any central-verification of ownership with Palladium much like that implemented with XP that would require the dissemination of user identifiable data to Microsoft as a verification of purchase mechainism? If so, will this automatically sign users up for passport? Also, would such data be protected against dissemination out of Microsofts computer system much like the accidental posting of Passports users PI on Infospace's Internet White Pages which attributesd to Hotmails spam problem? In addition, will users be opted out of all advertising and any security features and/or extras by default?
-To make sure that they will keep our data safe and secure. I especially like the last line =)
4: Will Microsoft's palladium enabled software, such as the Office Suite, have proper, GPL'd lisencing for at least 1 file format so that users may opt-out of having their data stored in a properietary format?
-A bit more aggressive, but it's something they won't be ready for either.
5: What will a palladium-enabled operating system consider "secure" software? Will it be anything of the users choosing or will software only be allowed to run if it has the proper securities approved by some external party?
- This is nailing the coffin shut, frankly. They will be prepared for this one, but unless they answer "users will be able to do what they want with palladium enabled" then they are directly answering that something is amiss.
Candy-Coated Knowledge
TCPA / Palladium is the stupidest idea I've heard in a long time.
Sure I understand that the fastest processors in the market, and the latest (probably 64 bit) version of Windows will entice me to switch to the new platform. I probably won't have any choice. But there is always going to be competition. Hell, if nobody builds an alternative to TCPA/Palladium, I will. I know that it'll be worth it because people will choose 'my' platform over Windows because it will allow them to rip movies, music etc.
I'll probably end up richer that Bill Gates ;-)
Get the point?
IIRC Palladium includes features to lock and unlock content based on time/date.
For this feature to be of any use, the system must have accurate and trusted time (what's the point of having exam results that I can only view after the exam if I can change the system clock and cheat?).
This implies that unless I connect my computer to a trusted server, this type of content will be unavailable to me.
Does this mean my computer MUST be connected to the internet to work?
Is there any significance in the fact that "MicrosoftPalladium" contains 6+6+6 characters and that we may soon not be able to buy or sell without "the sign" ?
What technical details have you been dying to know about Palladium?
Is Palladium poisonous to human customers ?
getSexySig();
Won't Palladium delay the release of critical security patches, leaving computers vulerable to attack?
This question should probably be saved until some of the groundwork for it has been already been covered. Here's the basis for it...
Palladium programs and any Palladium data can only be used on a trusted nub ("nub" basicly means kernal). Any changes to the nub are going to have to be submitted for approval as a new trusted nub. How long will this approval process take?
I think they plan an "independant" body to certify/sign a nub as trusted. If so point out this will massively delay the release of their security fixes.
If Microsoft plans to do their own certification that their nub is trustworthy then point out that they are leveraging their 90+% marketshare to create a monopoly on trusted nubs and all commercial use of Palladium.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
"Would you stake your daughter's life on the security of the Pallidium system?"
"Your superior intellect is no match for our puny weapons!"
"How many megabytes will my 'Helloworld.exe' be after I compile it."
"Your superior intellect is no match for our puny weapons!"
Good question. The only way I can see this system being secure against emulating the client is if the chips have an onboard private key, and the public key is made available in a public database linked against some sort of chip serial number. There goes anonymity.
There's no reason for a sig here.
--here's one. "How happy are intel and amd going to be when newchip company-x sees a fabulous way to have a great marketing niche? 'Get the new whizz geek 2003 with the non crippled run anything turbo x processor in it"? I can see a great opportunitythere for some investors. Places like japan are sitting on cash by the bucketful with no where to invest it. If amd and intel want to release ONLY crippled cpus, there WILL be a buyer's backlash. At first it might be small but it will happen and being a "new" chip the fab plant will be new as well. And "billions" of dollars just aren't that hard for major companies to come up with if they see a huge untapped market going begging. All they have to do is undercut amd and intel, make their chips roughly comparable / adequate, and there goes a lot of amd's and intel's profit. And who again are they going to blame? And for that matter, ibm has their new chip coming, does microsoft really want to chance that one? IBM maybe big and clunky, but once in awhile they get something very, very right-this might be it, major industry paradigm shift. they could easily put out a wintel/palladium killer with their new 64 bit chip and a hardened linux from a company that has a "no joke" business presence, perhaps along with apple/osx and some other vendors with linux. And don't forget slowing business panic mode-they cease throwing money at software and hardware, keep what they have-"struggle along"- and bump up advertising and sales for their widgets instead. That applies to at least 3/4ths of the businesses in the US right now.
Why do most so many people use Microsoft products? Is this because their products are functionally better? Or does a network effect play a large part in Microsoft's success. The more people that use Microsoft products and especially the OS, the more applications will work with them, thereby increasing the utility of their products. In addition, many users use Microsoft products because it appears to be easier to conform to the status quo.
I believe Palladium is an excellent means to extend the magnitude of this network effect. Microsoft knows that consumers will not be eager to purchase products that seem inferior to there predecessors. And Palladium will not look inferior. A Palladium system does not directly restrict what the user can do with the system. You will be able to run all the applications you run now and use them in the same way on a Palladium system. But, a content provider will be able to effectively only provide content to consumers running the software they deem appropriate. This software can be very restrictive. If you decide not to use the restrictive software, you give up your right to receive content from providers that require it.
The success of this technology as a DRM tool rests in not restricting the consumer to much. Lets assume the system is developed to a point where it can reliably authenticate an individual user via a smart card or something. This would allow a user to receive the content they licensed at any system that can authenticate a user and is trusted by the content provider. While this trusted systems will only allow users to access content they are authorized to access. If Microsoft could provide a reasonably high penetration of Palladium products, many consumers would find the restrictions of the system reasonable enough to justify purchasing protected content. The more consumers that purchase content, the greater the demand for Palladium products to utilize that content. The more Palladium products the greater the demand for the protected content. There is clearly a critical mass in which palladium would prosper or flounder.
Its important to note that in this scenario, Palladium didn't restrict the user from doing an explicit thing they could do before like playing there mp3's. It simply provides the consumer with access to more content. This is assuming this content isn't provided by means outside of Palladiums control. For this reason, I would expect software will be the first candidate for exclusive distribution within the palladium realm. Infact, Microsoft can add value to palladium by providing software that can only be acquired by a palladium system.
If the use of palladium becomes wide spread, a palladium enabled computer would offer a distinct added value in terms of available content over a non palladium counter part. Yet, to be an effective palladium system, the content providers must trust that system. But, establishing a system as trusted will be an expensive task. An individual would not be able to modify their palladium open source kernel (if such a thing will ever exist) and expect it to be trusted. If this where the case, palladium would be ineffective. This will prove to be a major challenge to open source development. It would inherently make working on many open source projects reduce the value of your computer.
If successful, the Microsoft palladium products will be better than the alternatives not because of technical merits but simple because they are trusted. Establishing software as trusted by the plethora of content providers could prove to be a task only the largest Corporations could afford.
This leads to the question. How will a content provider know what software to trust? Will each content provider need to explicitly define what software they trust? If an entity developed a palladium OS, would that entity need to get each content provider to trust it in order to compete with the Microsoft products that will undoubtedly be trusted by all?
More and more countries start to realize that relying on a foreign, closed source OS to run their government infrastructure, is uncomfortable at best, and a possible huge security issue for industrial or other spionage at worst. For this reason, some are pushing OSS to replace all closed source. So, given that Palladium is really about giving a foreign and hence untrusted/unknown third party control over what your PC will and will not allow you to do, does Microsoft agree this could lead to a much stronger rejection of their OSes by governments, educational institutions, large corporations, and so on ?
..when they've already got the patent on DRM enabled OS's?
That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze
If I am an independent software developer company, can I write software for Palladium platform for free or will I have to pay license fee to Microsoft/Intel/AMD?
What are my chances to developing next big killing app/os, gaining huge market share and grabbing Palladium market share of Microsoft?
--
I find this whole debate about Microsoft and and it's "technology" highly entertaining. Who cares, Microsoft is doomed, yes doomed, bitches.
Corporations, government, and private section are moving servers and network boxes to linux in droves. Heck, even hollywood is migrating to the penguin. With the price of commercial software higher than that of hardware how can Linux (or other free OS's for that matter) not succeed? When Microsoft dies all this "technology" will go away anyway, protect your investment, don't buy into this crap.
Let Microsoft masterbate all they want with their palladium. In the end all they'll have is a hand full of sticky goo.
Azurite is fine covellite is mine.
After going through many discussions and FAQs, I am quite convinced that the Palladium is more of a nuisance than a feature. What I am wondering is about how the inclusion of Palladium will affect the overall performance of the system. Won't these encryption, decryption, remote server verification pocedures be time-consuming ? I haven't seen this discussed in most Palladium discussions, may be it's not very significant. But I'm curious...
getSexySig();
* Only DRM/"Trusted" systems will be able to play content from the Music industry or Hollywood.
* For an operating system to be trusted it needs to be vetted and signed for use with DRM. i.e. it needs to be a "known quantity".
* An OS where the user can modify it at will is not a "known quantity" or signed, and even if it was, as soon as you recompile it you would break the signature. Basically, an OS where you are allowed to modify it, can not be trusted. (Allowing modifications being a large part of the "Freedom" involved in Free Software. You can't have it both ways).
The result being a world where only non-Free operating systems can play the entertainment industry's content, by design.
If you thought playing Windows Media files on Linux was tough now, wait until Palladium.
--
Simon
Reminds me of an XBox "tech talk" I attended at Washington State University. It was supposed to be for people "interested in development of XBox software."
The whole thing was little more than an XBox advertisement and PS2/Gamecube bashing session. I particularly liked the part when they questioned the credibility of Sony and Nintendo in the console video game market.
So, in short, I wouldn't be surprised at all if this was just a fluffy "Palladium is good!" soapbox with no real technical information.
--Jeremy
Jesus was a liberal
Does the adoption of Palladium mean that Microsoft will recommend against the use of Windows OS's in medical and similar applications?
How would works protected by Palladium ever get into the public domain?
Corollary: Does Palladium kill the idea of the public domain stone dead?
Suppose (if only for one nanosecond) that I accept the "benefits" of Palladium to me as a consumer. How much extra will I have to pay to get those benefits?
How much additional cost on the average PC - $1?, $5?, $50?, more? Then apart from the viewing fees for movies, audio tracks and other protected content that I can obviously choose to buy or not buy, what unavoidable ongoing costs will I have for registrations, software licenses, and the like? (Somehow I assume all the new versions of Windows and DRM-compliant programs are going to be rented to me rather than "sold".)
This looks to me like it could easily become a monopoly - albeit a complex one involving MS, content providers, certificate authorities, etc. Where are the elements of competition that will keep these prices down and foster innovation in this new secure world?
Questions? Not a single one. What kind of twit are you to get excited about this? You go to MIT? How did you get in? Are you Jeb's and Georgie's younger brother?
in france, we already are going to regret that... :-(
a major online book & music distributor choosed to have DRM "technology" tied to online testing, and thus if we click on a simple ".ram" link, there's a little window advertising us that we should have a DRM-compliant operating system, (thus windows 98, ME, 2000 or XP) to do that
One such faq was:http://www.microsoft.com/technet/treeview/defa ult.asp?url=/technet/security/news/PallFAQ2.asp
Few important notes:
- Palladium can be turned on/off at will.
- Palladium runs on top of the OS.
- Palladium enables better privacy. You can keep personal information from leaking from your machine, even when running untrusted programs on your machine.
- DRM is something that can be built *on* Palladium. DRM is a possible outcome of Palladium. Is that reason to hate/protest Palladium? By analogy, the DCMA is right to disallow software which can enable copyright infringement, despite what that software can also be used for.
- Palladium is designed to prevent against subversion tactics from software. It makes no guarantees against physical compromise of the local machine.
Overall, I think the biggest problem with Palladium is the potential it has to hurt other OSs. If media companies decide to use it because of it's security, it'll mean that they'll be developing exclusively for Windows, and not Linux. Unfortunately, I can't really see how one might develop an open source version of Palladium.Secured content, secured programs, secured computer, secured users...
You can even throw in some "locked-up" or "bolted", and play dumb with the meanings of these. That's fighting with their own weapons, and in the end you may have started a trend within the attendees' crowd, it may ruin some of their marketing techniques, or at the very least enlighten a few people ;-)
The obvious question with this is: What is the control infrastrucure for Palladium? Who controls file revocation lists? Who controls policy enforcement? Who can gain control through the courts? Who can gain control without users' knowledge?
Specifically, How is storing private RSA keys on an SSC (Security Support Component) different from centralized key escrow management? (Won't the SSC vendor know or at least be able to know the private key?) Also, What are the costs of using blacklists and whitelists?
Another obvious question, although less technical, is: How this is going to succeed where eBooks have not? Back in 2000, when eBooks were the just coming out, Microsoft predicted that it would be a multibillion dollar industry with rapid growth. Digital copyright protection capability was added to their version with the hope of securing their revenue. How are eBooks doing now? Are there any conclusions that can be drawn from this? Perhaps this is an instructive analogy to extrapolate from.
Finally, and perhaps most importanly (but least answerable), the two FAQs above paint rather different pictures of Palladium and TCPA. How are we to know what the effects will really be? Do we have to look at the source?
Windows has its fair amount of problems. If I can accept that Linux runs into problems for many of the non-trivial setups when a newbie's behind the wheel, the very same thing is true for Windows.
;) (and I had some nasty headaches with Linux). Yes, the most trivial of the networks is easier to set under say Win98 or ME; but that baby stops just about there. Linux can go on pretty far and can do some nice tricks for you.
For example: Windows installs are the easiest in the market; Wrong! Linux installs are just as easy with many of the distros GIVEN THE SAME CIRCUMSTANCES. And most distros are 2^n easier to install than Windows for any given mutiboot situation. Hell, I know lots of situations where one cannot install Windows on a hard drive with only a Windows bootable install CD at hand unless he/she can physically format the hard drive; such things don't happen with Linux, do they.
Network setups for Windows can give you just as much a headache as Linux can
I think the Red Hat guys said it more than once that at least for the moment Linux cannot be a substitute for Average Joe's Winbox; it's for corporates where centralized management is possible and the user doesn't have to do things by his/her own, instead he/she calls the administrator and asks for the change. And of course Linux is for guys that want to get dirty with their system and don't care that much if they run into problems with a NIC or a DVD burner; and when they run into problems they don't toss the distro and go with MS again, instead they go and look for a solution. It's obvious that such people are a minority. But the corporate desktop market is huge. If Linux really is adequate for such a market then we have our stronghold.
What Palladium does is to enable the computer to NOT trust its owner.
Any other problem allegedly solved by Palladium can be solved without it.
Really!!
)9TSS
hmmm, lemme see, when palladium comes out it will be the entire population of world hackers focused on breaking palladium. So lemme see, in the red corner, entire hacker population of the world, in the blue corner, M$ software engineers with their highly renouned reputation. LOL, cant wait to see if the thing will be broken in under a day or not.
I have some questions; won't the Palladium chips prevent the development of new technology?
How will companies be able to send out new security patches if there are bugs in their programs, it would probably take months before the "independent body" would approve them. Or have I misinterpreted the technology? How on earth will MS get their applications approved in the first place if they were not to own the chain of command in the approvement-procedures. Just take a look at Outlook and you'll understand my sentiments.
Can you run non-trusted applications on this thing? What about the helloworld-code you just compiled last friday. Are we also stumping the newbie developers their chance to get into the meat-market?
And when I think about it for a while I really don't see how this can't be accomplished using opensource code as well. If you have a library communicating with the Palladium chips you can just use it to gain access to that processors public key. You then send that public key to the content provider to get the latest movie from Hollywood. The content-provider receives your public key and encrypts the content with it. You then download and ask the palladium to decrypt and play. One problem however is that you will be able to store the decrypted data on disc (you asked the palladium to decrypt it, remember?). But then the question really becomes wether or not you would bother to download that last pirated movie or pay $2 for your own copy.
I really can't see how closed proprietary software will succeed using the business model of the Palladium. First they will need to develop the application, then get it approved, and then trying to "steal" Microsofts marketshare on that particular application. Aha! I believe we are getting somewhere now. It's just a new method for ensuring monopoly.. How clever.
=-kiOwA-> EOF
Will all laptops have to have wireless connections just to be able to work away from home? Of course they could allow you to download this giant "list" and save it on your hard drive(HA!)
Of course this indicates at another transitive dependency... that is... wait for it... needing an internet connection and the hardware to support it. So even if you never wanted to use the internet, you now HAVE TO.
Anyone knows that the most secure machines are those which are not connected to the internet. So I guess what microsoft really meant by a new focus on security was that they are going to try and secure a future for themselves! This in no way secures the end users computer anymore than stationing employess from Microsoft, RIAA, Disney, and other media conglomerates at your workstation.
I do feel that the need to protect data but I feel that this is a horrible solution. The only incovenience today is for the copyright holders and not the end users. The first company that finds a solution in keeping it this way will win whatever it is these people are trying to win.
the source code, so I can *see* that Palladium is trustworhty?
Or do I have to rely on a Micro$oft PR monkey, who ensures me, that it is?
The point is that the framework must not be adopted. To have one company control all aspects of data manipulation is insane. And what's more, this is the company that changes their EULA in an upgrade! So even if the answer to your question now is "why sure, you can create, distribute, run, and in general do anything you want with open source or any other program!" what makes you think that they can't just change this sentiment for "security reasons" or because they decide to call open-source "flawed" or "threatening" or whatever... the point is that, by adopting the system, you give them that control.
I don't usually like to quote Star Wars, but in this case it's more than appropriate:
"Once you start down the Dark Path, forever will it dominate your destiny." --Yoda
The point isn't what will happen once we're already on the path... the point is we must never even start in that direction. Don't give up self-government of data for promises of greater security any more than you would give up your Bill of Rights for better CIA surveillance.
Oh wait... I forgot we've already done just that.
"We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
This will create some "vacuum" in the market: Users of free operating systems willing to purchase some content playable on their equipment but established entertainment companies not providing it.
So if market is (and will be) operating correclty, I'm expecting somebody (and not just one) to start producing content playable also on free OSes.
If market is (and will be) operating correctly ... i.e. freely ...
hany
How can Microsoft, a company with a well-deserved reputation for sloppy security and maladapted software, expect to all of a sudden create and deploy a secure operating system? It seems with a $40 billion bank account, MS could clean up its act, but it hasn't. What makes MS think it can turn its security model around to actually be secure?
Dawn of the Dead
For example: will Osama Bin Laden be able to communicate secure with Palladium? Will even the NSA not be able to decrypt his messages? If they are able to do that, what makes sure that hackers won't be able to do that? If the answer is computing power, what will prevent a hacker of using a computer grid (e.g. Seti@Home).
Buy a Mac in two years and run Linux and OSX on 64-bit systems!
Say I have a Palladium-enabled computer and I have bought some digital audio from the Net. How can I do something completely normal with it, like burn it to a CD so I can listen to it in my car?
I believe posters are recognized by their sig. So I made one.
Say I write something in an interpreted language, Python, Perl, Java, whatever.
The interpreter binary that runs the code is signed, totally officially Palladium-fine.
Then I can write any Python code that does whatever, can't I? You can't sign the ASCII source code.
I conclude that any language interpreter, or any application that has any sort of scripting language (say IE, Outlook, Word) can't have any means of breaking out of DRM in the language or it won't be certified. This is unbelievably crippling.
I believe posters are recognized by their sig. So I made one.
does IT come with an ill eagle payper liesense hostage ransom agreedmeNT?
whoever tolled you that evile deceptive ?pr? FUDgePacking is dead, must be from the future.
You raise a good point there, the value of the digital media may far exceed that of the system. Systems get replaced/upgraded, so there must be a workable key recovery system which can cope. If a key recovery system is in place, then we have to factor in how many machines are replaced/repaired in a year. This is a lot, taken worldwide. What kinf of key recovery procedure would function for so many systems per year?
The prospects of Palladium are fantastic. However from a cryptographic "data flow / data storage" perspective, there are still many fears that the wealthiest corporation in the world will strong-arm this technology through without the required public review and due diligence.
The AES process took years of open and very public scrutiny. Palladium will require at least that long before it is trusted. What are Redmond's timelines for disclosure, review, and deployment dates?
Maybe not today, and maybe not tomorrow, but soon that man will have a coronary that they will talk about for YEARS.
"Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
I don't hate you, yet my ID is listed as one of your foes. How's that?
The Grassy Knoll
NO code can run on palladium enabled hardware that is not signed by Microsoft. I am concerned not just about Linux, but about all open source and individual development in general.
:)
That's OK, we just get a signed version of your favourite scripting language (perl.exe/php.exe/basic.com) and get on with hacking around things. Maybe this will be the time of scripting languages on windows?
The trouble will be if hacking involves getting into the device-driver level, as perl probably won't be much use here. And this is where the chance of getting at the real data (if you're a pirate) is; memory blocks, I/O ports, etc.
Actually, for things that exist now, i.e. CDs and current DVD standards, piracy will always be a problem, as there is so much palladium-free hardware around. It's only when people have to buy new hardware that is only available in palladium-enabled form that palladium will be a problem. And if people have to buy a new OS to match their new DVD-XX drive, and buy a new MOBO too, there will be massive consumer pressure against this.
OTOH, there is always the chance of intercepting the signal e.g. on its way to the screen, speakers, whatever. Piracy will just be a lower quality than the original. I guess we'll ^H^H^H^H^H people will have to live with that
I reckon that true (i.e. industrial-sized, not someone who rips a few mp3s and trades with their mates) pirates will just have to get a bit more technical with osiliscopes on the boards and that kind of thing.
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
So what to do if you're Microsoft and still enjoy a monopoly? Answer: You do your best to own the distribution of copyrighted material on the internet. You'll need windows servers to distribute such content, and windows clients to access it. Of course MS won't be able to completely exclude free clients, but you can be sure it is doing everything in its power to make participation more awkward for free software.
Rational people won't want to play along, so MS (and Hollywood) will try to help by removing any choice in the matter. It is leaning on vendors so all the hardware will be infected, and when the time comes it will use whatever laws happen to be handy to criminalize defeating Palladium.
That's the plan, anyway. But while we know that Palladium can be used for good ("it'll stop spam!"), we also know that in practice it will be used for the benefit of Big Media. And to succeed any regime has to have at least tacit consent of the governed, and I just don't believe anyone will buy the spin. What I do believe is that this struggle will get much bloodier before it is resolved.
For those who scoff at the idea that free software will become a viable alternative to MS products: have a look at rh8, and ask yourself if it's still too hard for aunt Betty. If so, compare it to rh6 of a couple of years ago, and imagine what rh10 will be like. Will rh10 also be too hard?
One of the reasons consumers are supposed to care about Palladium is the protection it can offer against running untrusted code such as viruses. Seems that a good number of the effective viruses are not standalone executables, but Outlook scripts, Word macros and the like.
Is Palladium supposed to offer any protection against these? (If not, then skip the rest of the arguments...)
How would Palladium help? Presumably MicroSoft applications would be "trusted", yet these applications are the executables that are doing the damage (while executing the macros or scripts).
Are scripts and macros going to be considered distinct executables, that must be independently certified and signed? What about very common scripts like javascript for HTML Image rollovers, layers, form validations, etc.?
If not every script has to be signed, then how does Palladium make a practical distinction between what does need to be signed and what doesn't?
If every scrip has to be signed, then how would a new Palladium enabled system keep compatibility with the existing web, existing microsoft documents, and microsoft's application design philosophy?
axe 'em if they give two squirts o' shit about the linux wankers that populate slashdot.
Let's say I have a piece of software that would want to operate on Palladium-encrypted data, say a OSS alternative to a (overpriced/bloated/bugridden) commercial application. For some mysterious reason (read: monopoly power) Palladium-encryption of this data has become a de facto standard.
;)
Would I have to submit the source code in for verification? How much would a code validation cost (read: much more than any OSS dev could afford)? Would I have to go through the entire process every time it was updated/bugfixed? Or would there be some notion of being trusted in good faith, probably with a huge legal liability attached (also a OSS dev no-no)?
I fear that the Palladium scheme will lead to a monopolization of the software arena, favoring the big software corporations, and the death of using open standards. "See the [LOTR II/Matrix II] trailer here on our MSHTTP server - the new standard for multimedia content. (Palladium/Windows Longhorn/WMP14 required)"
It's also a perfect solution to Microsofts increasingly big problem justifying OS upgrades. Now its new feature can be "access to all the digital content provided by [new wiz-bang-protection scheme]".
Microsofts biggest concern should probably be their stupid users. I think Windows/DRM formats will piss a lot of people off when they don't understand how to copy/back-up/transfer their files to a new machine or similar. Unfortunately, I don't quite see who'll be there to pick up the competition. Macs will always be there on the sideline, and while Linux is coming along I don't quite see it being the OS to tell MS to KISS
Kjella
Live today, because you never know what tomorrow brings
Comment removed based on user account deletion
Comment removed based on user account deletion
The Common Criteria defines levels of security assurance that computer systems meet. And a process for certifying that they do so.
Surely a system which stores such sensitive information must be at the highest assurance level. So ask them if the data will be secured on an EAL-6 certified operating system? And is the data base also certified at that level? The application at that level?
The follow up querstion is of course, how can you assure us your system is so secure if you won't expose it to the rigors of the examination that results in Common Criteria certification?
One thing that everyone doesn't seem to get is that consumers would love Div-X if it was the only way to watch a movie.
The fact that they can just go buy a movie on DVD for less than they can buy a music CD killed Div-X. Div-X didn't kill itself.
If the only thing that MS supports is a palladium computer, and of course the only OS that your office will run is MS, then your office will buy new palladium computers.
You can then chose to run WinXY at home, so you can steal your office applications and be compatible, or you can stay back on clunky old WinXP.
Intel and AMD are both already working on in. You won't be able to bypass it with Linux because of the DMCA. You will have to stock pile old hardware just to run Linux. You won't have a choice to chose non-palladium if MS has its way. The consumers will vote resoundingly for palladium.
Sort of like the free election in Iraq. Of course Saddam will get 100% of the vote, he is the only one on the ticket.
What do they think are the legal ramifications of the Palladium feature to remotely delete email? Especially since M$ _itself_ is/was under scrutiny for destroying evidence in their courtcase?
Didnt InterTrust develop 'Trusted Computing' - why are they not mentioned on the TCPA Website?
Pixels keep you awake!
Comment removed based on user account deletion
As soon someone say Microsoft the converstion party mood ended. Don't be friends with the MS users. Challange them, but let them know that they are peeing in your creek, upstreams that is.
Q. If Palladium becomes 'successful,' will chipmakers other than Intel and AMD be allowed to produce the hardware, or will they become yet more companies left out in the cold because of the Micromonopoly?
Perhaps this is a question for the law department at Yale rather than for MS, but ...
Microsoft is a convicted criminal. What are Microsoft's legal rights at this point? Are there limitations (e.g. felons can't vote, as we all learned from Florida 2000 -- hell, in Florida, African Americans aren't allowed to vote, it appears!)?
The point is: should a convicted criminal enterprise (Microsoft) be allowed to create and profit from a security system (we will assume, for the sake of argument, that their notoriously poor coders actually make this secure) that can affect the majority of the world's computer users?
That Microsoft is still leading such efforts is a bit like Willie Sutton being put in charge of bank security.
I can see the uses of hardware protection. It can serve as another added layer of security that I can put on my machine.
However, almost all of the user-benefits can be obtained with an open architecture, where anyone can create the chips. Where the master keys are public. If I don't trust *that* chip, I can plug in my own, or even design my own FPGA or microcontroller.
Why would Palladium things like serial numbers, or a unique per-chip keys, or signatures on their key by other keys that are NOT under my control.
This gives users complete power and control. It also makes it impossible for an outsider to determine your implementation (which is a good thing). (IE, this design no longer supports 'remote attestation' which is a big weakness.)
Why didn't you chose this design?
Comment removed based on user account deletion
Peter Biddle of Microsoft gave a palladium talk at the usenix security symposium in August. At this talk he said that he was unaware of any way that Palladium could be used to combat software piracy.
Lucky Green immediately wrote down several ways in which palladium could be used to do this, and filed patents on these methods.
Explain the above, then ask if Palladium have any method of preventing software piracy. Follow up by asking if they are utilizing the methods described in Lucky Green's patents.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
You should personally shove a giant wooden stake through the lectures' hearts and burn them as effigy. Anyone who dares utter the Name of Satan (Palladium, Bill Gates, Microsoft, /etc) in this country will be sent to Satan by fire. You should carry the carcasses of these demons to a courtyard, pour gasoline into their orifices, and light them with a torch. Also its a good idea to keep one of them alive so that you can set it on fire and watch as it sets a clear reminder to witnesses that an evil will be met with greater evil.
Please remember for someone to bring a dictaphone to the lecture, or at least have it recorded by something/someone, so that their answers can be heard first hand by everyone.
Also, If you are planning on asking multiple questions, write them down and hand them out to some of your friends for them to ask. They might only let one person ask one question. Plus it might be a tad suspicious if one person keeps standing up to ask 10 carefully crafted questions. And you're less likely to look like a lone screwball if half the audience are asking challenging questions.
Malike Bamiyi wanted my assistance.
Kinda strange logic here, you express suprise at the idea that someone educated at MIT would make statements you find illogical, the statement being that someone who comes from MIT is unlikely to make stupid statements. Were you trying to construct Zeno's paradox?
I know Brian and Hal, have done for years. I have lectured to Hal's class. I have also discussed Palladium with Brian at some length.
The fact is that the questions are far from unpredicatable. In fact the ones you appear concerned about are exceptionally predictable and very easily answered.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Comment removed based on user account deletion
The question that any business should ask itself constantly, and I don't see a clear, disclosed answer to this one:
How will making this action (creating a digital rights management infrastructure at some cost to both me and my partners) and distributing it increase shareholder value?
That is, do I expect to sell millions of these things? How?
I expect the answer is: "We'll stop selling operating systems without Palladium. Thus you must have Palladium hardware to run software released after x, where x is the release date of Palladium"
Which is an obviously evil answer. PR guys don't like giving obviously evil answers, so I'm curious what his actual answer is.
Wow, the whole idea makes me wanna go buy an AMD box (assuming AMD will boycott Palladium) and install Linux today so I won't be forced to make the transition in a year or so.
I am disrespectful to dirt! Can you see that I am serious?!
...they WILL be ready for it. (do you read me? do you read me?)
My question would be:
At what point does microsoft plan to not be compatible with older operating systems. With the mainstream use for the most part of the windows 2000 (think XP here as well) will there be integration of this technology within these operating systems, or will this new technology only be utilized and supported by newer operating systems produced by Microsoft (see longhorn and blackcomb)?
In the event that this is only supported by newer operating systems, what steps are being taken to reduce the risk of these systems interfering with the security of the newer machines interfacing with the old ones, as well as provide backwards compatibility?
Investment (paying people to give up the golden egg)?
George Lucas is sitting on a perfect digital high-resolution master of his own Popular Science Fiction Movie. He is willing to release it to the public if it is protected by DRM. However, he knows that if he goes with the Palladium DRM solution, it will eventually be cracked, and controlled distribution of his work will be compromised (meaning: everyone can get it via P2P networks).
Why would an intelligent media company create something special for Palladium (that we wouldn't have without DRM) if, as history has shown us, it isn't a matter of if it is cracked, but when?
As a consumer, why would I want to go with a DRM solution? We've been told that 'special deals' and 'special content' will be magically unlocked by DRM. But given the case above, that a media company seriously risks compromising the distribution of anything their release via Palladium, they will be reluctant to create those special deals. And people will be more than happy to get their hands on the same material, without all the st(r)ings attached.
How do you solve the chicken in the egg?
Comment removed based on user account deletion
(Blah, blah intro. "Microsoft shares are putting me through college.") As an investor in Microsoft, I am concerned of the encroachment of Open Source (or use "free software") and its displacement of commercial software. How will Palladium help control this profit draining activity?
Q: Will they believe Palladium is unbreakable?
As we all know, nothing is. They should know that too and can't answer without saying "but ...". Let's hear what's after the but part.
zHow do you plan on handling the possibility that Joe User will think his Palladium machine is broken (won't play many of his favorite files, typing in his driver's license number doesn't help)?
and
Do you think the PC manufacturers are up to handling all the returns of the "defective" PCs?
How does this benefit the consumer?
How does it make my computing experience any easier or better.
I'm not asking how it benefits corporate america who simply wants locks on my home installed and I have to ask to be let out/in.
What will palladium do for me?
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
If the microsoft campass in Redmond gets
covered by the enevitable lahore flow
when Mt Rainier explodes next, and
the whole place is covered over like Pompei,
and all of their 'mother-may-I' servers
are destroyed like Sodom and Gamorraha were
destroyed, will Anyone ever beable to boot
and run their machines?
If my network connection is disconnected, will
I be able to run my software? Ie, if I live in a
place with major storms and all lines are down,
will I be able to use my computer (assuming I have
a powersupply)?
So... We're gonna use P2P sharing tools to distribute content after DRM has been cracked away from it, and Palladium will make sure that all those no-upload patches won't work anymore and every leecher really is an uploader too!
-Why should I trust MS (or any company for that matter) to decide what software runs or does not run in my company's computers (pretend you are a whi-kid CEO)?
-Are you and Intel going to finally take legal liability when my computer is hacked or when a new virus strikes? If not, then where is the advantage for me as a consumer (then kindly remind him how MS does not accept any liability for its products).
IANAL but write like a drunk one.
Comment removed based on user account deletion
Q: Please complete the following well known quote : " Those that give up freedoms for temporary security... "
Come at it from the opposite direction.
:)
Is Pallium too secure?
In these days of every government agent and his deputised dog protecting us from terrorists by reading our e-mail. Wouldn't a rock solid operating system that kept its user's data as secure as the stock photo of Utopia that Microsoft is using to sell it actually be against the interests of the spooks?
If it is as secure as they say doesn't export laws on strong crypto apply? As a Uker I pray that it is too strong to be exported out of North America
Here is a question I would like you to ask. I believe that it is a good question because it is simple and hard to evade:
Palladium technology allows for the signing authority, in this case Microsoft, to create a blacklist of forbidden computer documents on all Palladium enabled machines. Will Microsoft maintain sole control of their ability to blacklist documents, or will they grant this ability to government as well?
--
What happens when you outlaw guns
Once suitable hardware is available, will Palladium have support for brain implants?
Followup question:
If my implant wears out and is replaced will I loose all my memories if I don't first transfer my license files from the old implant to the new one?
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
Will be impossible with suggestions from this forum- don't you think they're reading it?
/.ers to keep an open mind on this topic- but it might be a possibility, however small.
Instead of going there with the intent to make them "squirm", why don't you try to think up some honest, technical questions. Do they plan on allowing non Microsoft Operating systems to have access to Palladium technology? The point about free/open source OS's being excluded by design was a good one- but may not be true. The portion of code that must be signed and verified may only extend to the Palladium framework. In fact, it most likely will have to be. Even Windows users modify their OS in non-Microsoft ways- I don't think they will get screwed.
Find out if they're really going for a kill here, or if they might actually have a larger userbase than their own OS in mind. I know it's hard for most
How about this one:
"If I, as a ameteur filmmaker, wish to create and distribute a homemade DVD of my work, what kind of process would I have to involve myself in to ensure that my work could be displayed on a Palladium-enabled computer? Will I have to purchase new mastering software? Will my current DVD-authoring software create DVDs that can be viewed? Will I have to pay a fee to apply a digital watermark? How will the watermark key be controlled and disseminated? Am I giving up rights to my work?"
We all know the big companies are behind it. But what about people who want to create content for themselves?
In other words,
Comment removed based on user account deletion
It was my understanding that the whole master key security concept was a flawed one. And could leave applications vulnerable to attacks if a person gained the ability to execute instructions on a remote computer they could execute all instructions on a remote computer (i.e. any one of the 5^10 outlook viruses) A safer, smarter concept would be a capabilities based system where the user/application is granted rights per role.
It seems that this system is locking a computer into a single point of failure, so if a malevolent application was allowed it, it could do anything, taking advantage of the fact that the user assumed his box was safe and could therefore store all of his CC#'s and other valuable information.
So in Short, what is MS doing to combat the possble worldwide abuse of users' computers by jacking a trusted key, or bypassing the main security checkpoint?
stdcallsign
Who can code against it? What will that cost, what about free players for payed content?
Comment removed based on user account deletion
What will Palladium DISALLOW me to do that I currently can do? (on a technical level)
Comment removed based on user account deletion
"What Palladium does is kind of the reverse: it lets the remote server check that you are running 'kosher' software. A remote server could refuse to stream content to anything other than Windows Media Player, for example."
So I run a ripper hacked sound driver that captures the playback from Windows Media Player to an MP3 file.
Now we have a problem, unless you prevent me running my ripper your media can be compromised.
Hence they MUST DISABLE software that would break the protection, hence MS gave themselves the right to break software as part of the DRM EULA.
The scheme cannot work unless they disable software. So at some point they must go that route.
If Paladium ever ships, what will prevent knowledgeable hardware hackers from 'clean room' engineering a 'Paladium Emulator' that will run under a non Paladium OS & hardware that will mearly pass the appropriate handshakes to so called 'protected' programs and media content. I mean, really, its only a matter of time - no matter how well encrypted the low level OS and boot code. Too much knowledge of the logic of hardware / OS structure is available. - - - Supress that knowledge and the US will rapidly head to 3rd world status in the current technological revolution.
Or by buying the hardware, will the license state that MS really ownes my machine?
I don't suffer from insanity, I enjoy every minute of it.
please please have someone make a video of the event
and post it somewhere for download.
thank you
Does this mean, for example, that Apple would have to have Microsoft review the source code for its Windows version of the Quicktime player? Would Oracle have to release its source?
It seems so rediculous that I can't see either one of those companies letting an outside party review thier source code. Particularly under a Microsoft-inspired initiative.
Some members of the Linux community are having trouble seeing beyond themselves. Linux is fun for people who like computers. For people who NEED computers for their jobs, but didn't study computer science in school, or people who want email and web browsing at home, but don't want to take a class on operating systems, Windows is what they choose. Even the Linux titans like RedHat and SuSe can't get the product to the level of simplicity required by people who don't want to fix it themselves.
Comment removed based on user account deletion
I have found that linux has been an excellent solution as opposed to windows. Although it is differant than windows in how you do things, it doesn't make it worse. Differant can be better, which is what I have found. I have been running Mandrake and haven't had any issues, Windows XP dropped ALL acceleration on my Voodoo 5 5500 while linux picked it up and now runs extremely fast. Setup was easier and my father (who isn't all that computer savvy) is now using linux more and more while using windows less and less. Linux is ready for the desktop. People just have to give it a shot.
HEY, raise your hand and calmly ask this question to the crowd, and not the Microsoft reps:
Does anyone here want Palladium?
4 questions: 1.)do they plan to phase out the ability to disable palladium? 2.)also- if one chooses (if indeed it is possible) to not enable palladium, will they be unable to use multimedia content or install OS upgrades? 3.)- why does microsoft feel the need to (currently) spy on what media you view/listen to, and why is there no feature (short of a firewall) to maintain privacy in viewing? (if you purchased the OS you should have the ability to listen to your own music and watch your own videos without being a constant source of marketing information for MS without your approval) 4.) why do they feel the need to change TOS agreements in ways that change the fundamental rights of a purchaser with security patches (and isn't it either illegal or greatly unethical to, a year after the product has been purchased and is no longer returnable, change the terms to something that the end user may no longer agree to)
Which is fine if that's all you want from a computer. You make a certain amount of tradeoffs in order to get a mac. That's the ways it was, and always will be.
PC's may not always work, but they're cheap and upgradeable. However, notice that Gateway and Dell are trying to get people to buy Mac-like computers. They are much cheaper then the Mac, but they are still not upgradeable.
Ask what will happen to freeware software, open source development, and media intended to be released openly or as public domain.
WHY?
... and then there were none
Agreed. But that is because many of the protocols, APIs, file formats and hardware specifications are secret. The more we use GNU/Linux, more of this information get available and is put into good use.
Additionally, MS Windows can't keep your privacy, protect you from viruses, save you on hardware and software costs, give you the information and freedom GNU/Linux does.
Leandro Guimarães Faria Corcete DUTRA
DA, DBA, SysAdmin, Data Modeller
GNU Project, Debian GNU/Lin
How will this work on my Macintosh?
Palladium and LaGrande will be necassary components launch trustworthy computing. MSFT is at the root of much of the existing security holes and that is somewhat ironic. However, they are not going to be doing this alone. It will require the help of Intel's LaGrande, AMD's yet to be announced solution and deployment by the PC companies. Palladium will be very good for the Internet and the advancement of PC's. People and enterprises will have a choice on whether to use it or not. If you don't like it, you can always switch to Apple or Linux. There are choices.
but in this case how does it meet the claimed BORA prevention. Is it BORA prevention _presuming_ the local user is not interested to reconfigure his own hardware?
No I wouldn't.
Could it be becouse I wouldn't do anything so outragously foolish?
Or would it be my objection to Microsoft?
Well those are good reasons but no...
I'm just to lazy. Sorry but to jump around like a monkey takes to much effort.
He's proven however he can and will do it at the drop of a hat.
(This kinda disproves the notion that lazy eq fat.. He's fat I'm lazy end of story..)
I don't actually exist.