Slashdot Mirror
RMS Urges Opposition to "Trusted Computing"
Andy Tai writes "In this Newsforge article, Richard Stallman analyzes the "Trusted Computing" initiative and Microsoft's Palladium, points out that such initiatives are really means to ensure your computer can be trusted by Microsoft and Hollywood (you can't do things they don't want), and urges computer users to organize, to support the Public Knowledge and the Digital Speech projects and to use their consumer power to block "Trusted Computing" in its tracks."
former student, returned to his Alma Mater and gave a talk on some of the
technical aspects of Microsoft's Palladium project. Brian began the talk with
a quick overview of the goals of the project. He stated that Palladium's
goal was to 'Protect Software from Software'. He went on to enumerate some
of the nightmare scenarios that keep the Palladium team up at night, such as
a virus/trojan that launches something worse than a Denial Of Service (DOS)
attack.
These included:
After this brief introduction, Brian went on to describe a hardware based
software security system that would provide 'Fingertip to eyeball security.'
This system would consist of a hardware Security Support Component (SSC)
chip, a special security kernel called the 'Nexus' and user level security
applications called 'Agents'. Palladium would also require alterations to
the MMU for the curtailing of memory and USB for secure input/output.
Brian admitted that Palladium would offer no protection against DOS
attacks and that Palladium would necessarily include a universal serial
identifier (this
would be provided by the RSA key burned into the SSC chip). He also promised
that Palladium would run unmodified legacy applications and drivers.
Problems surfaced during the end of the talk when Brian began taking
questions. Richard Stallman correctly pointed out that Palladium was being
presented as a way of improving the security of personal computers. Indeed,
according to Brian, this was the focus of Microsoft's Palladium project, but
no where in his talk did he present any solution to the crucial nightmare
scenarios that are supposedly keeping the Palladium team up at night.
Indeed, as was pointed out by Stallman and others, if Palladium would run
unmodified legacy applications, then how could Palladium thwart the legacy
virus/trojans without upgrading Palladium enabled Outlook/IE/IIS?
The truth is Brian was being disingenuous when he described the nightmare
scenarios that motivate the Palladium team. In all honesty, there are only
two nightmare scenarios that are relevant to the Palladium project:
The nightmare scenario of the large copyright holders who fear the
internet
has ushered in the end of there ever ballooning bottom line
The nightmare scenario that Palladium will allow the large copyright
holders
to effectively eliminate the fair use rights of the public
With Palladium, Microsoft plans to solve the former by introducing the latter.
To get to the heart of the matter, we have to ask _why_?
Brian says Microsoft is concerned that large copyright holders will refrain
from publishing works in formats compatible with the Windows PC. My theory?
Microsoft sees an opportunity to bolster there own
bottom line. Palladium is meant to do for DRM what
for web services.
By providing the infrastructure, Microsoft hopes the content companies will
write applications and release content only for Palladium enabled systems.
Joe Consumer who wants to listen to the next Brittany Spears album on his
computer will be forced to upgrade to the next release of Windows/DRM. Of
course, it doesn't hurt that Palladium could provide quite a few wrench's to
throw at Microsoft's open source competitors.
Nightmare scenarios indeed!
Kernel developers also want to have him banned from the LKML for constantly spamming it with off-topic political discussions.
Wrong! One missguided person wants him banned. Everyone else thinks that he is annoying but generally harmless.
Most ernel developers understand that censorship doesn't solve anything.
Do you have Linux and a DotPal? Click here now!
First of all, he has not constantly spammed the list. Secondly, as anyone following those threads on LKML can see, most kernel developers have no problem with RMS.
The law would effectively prevent you from connecting them to the (now DRM-enabled) Internet, because the old computers cannot speak the right protocols.
Liberty in your lifetime
Funny, I've yet to come across a working environment where we do what 'right'. Usually we supply a solution for a demand in our marketplace.
.. if it does indeed end all of the sketchy goings on of Windows User A's computing experience. I'm certainly willing to believe that thats a healthy portion of the justification of Palladiums development.
.doc format of pop culture are the kind of tactics that leads to a healthy, progressive techological marketplace in which we all benifit by achieving maximum efficiency out of the resources available .. but thats the shakiest justification of them all. And the DOJ has already supposedly told them that it isn't true.
Windows User A isn't smart enough to 'demand' trustworthy computing, so I don't believe they're doing it because users are asking for it. MS might be doing it because they think its the right way to win back frusterated users (or at least turn their customers' love/hate relationships into love relationships)
However, can you honestly tell me that MS doesn't smell the yumminess coming from owning the 'Word Format' of pop culture?
Granted, maybe they just think its 'right', in the sense that their tactics to own the
"Old man yells at systemd"
Sandboxes and an agent watching the mail spool.
... and be just as accurate as you saying that MS is driven by a desire to disallow fair use.
Sure, but then this is not a part of Palladium. MS offered _zero_ ways Palladium might defeat these attacks. Therefore, it is rightly understood that Palladium has absolutely nothing todo with what we normally think of 'security'.
Stop thinking like a medieval catholic zealot, and start thinking like a modern-day person.
What the hell are you talking about? Do you normally randomly spew incoherant phrases? What do you have against making sense?
Were you at the talk? Are you aware that Brian admitted that the elimination of Fair Use was one of Palladiums goals? This is not in contention. What is in contention: Microsoft passing 'security' off as the primary goal.
"The project began about four years ago as an epiphany among a small group of Microsoft employees who were working to solve the problem of content protection for online movies."
"The end result is a system with security similar to a closed-architecture system but with the flexibility of the open Windows platform."
And to stir up the pot a bit.
The way Palladium eliminates fair use is as follows:
Lets say I develop an application or send a document. And I am not interested in getting a certificate for that application or document. Well Palladium can stop my application or document because it is untrusted. Fair enough, that is true. BUT and this is a big BUT, the control of determining this is not in my hands.
It sort of goes along the warrenty lines. Most people in Slashdot could take apart a computer with their eyes blindfolded. But if you buy a namebrand you will void the warrenty. Fair enough because the company does not know who is twiddling with the computer. The only catch is that I can void my warrenty if I want to. I have that choice!
Palladium will not allow me to void my fair use if a company deems it so. This runs counter to general consumer laws since the person who decides is not the consumer, but the company from where end product came from. This means I do not have a choice.
Big difference. Now about taking them to court? Yeah, yeah, do you happen to have the money to take them to court? The same situation will arise with as with Kaaza. Legally Kaaza is not responsible and hence the companies have to go after those that share. A very difficult scenario. With Palladium the tables are turned in that they can shut off access to one CD and you have to fight to have every CD turned "on". Will society actually go after every instance of wrong doing? Not likely!!!
Now about looser terms? Ha! Time and time again it has been proven that when corporations can increase their profit lines they will do so regardless. Corporations are entities that only care about money and not social ethics. Otherwise we would not have Enron and Tyco messes.
We have these problems now with "stealing" because corporations are gouging for CD's. Here in Europe the big Labels were just fined for price fixing CD's....
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
Now if I could pay $5 to download a guaranteed high quality movie at a speed of 100KB/s, why would I even care about Kazaa?
As soon as they start to make high quality movies available for download, what's to stop people from sharing them on Kazaa? Granted, you can essentially do this now if you have the right equipment/software, but this would make it way too easy. This is why they want some way of ensuring that only the person that has paid for the movie can actually view the movie.
Blah Blah Blah
Actually, 'trusted' applications do not run in a protected data space. 'Agents' run in a protected data space. If someone is able to spoof an agent or install a trojan agent, then Palladium goes to shit. Now, it might be more difficult to spoof an 'Agent' but you know someone will find a way.
I was not impressed at all with the mechanics of Palladium. I do not doubt there are some incredibly brilliant people working on it, but they are attempting to solve a hopelessly complex problem. Most of this complexity comes from the business rules that define Palladium. I have no doubt that these people are capable of building a fortress of an OS from the ground up, but the execs are putting an enormous amount of criteria on it ie, Palladium must run with legacy applications and third party legacy apps. That requirement alone makes Palladium look like a big pile of spaghetti.
"As soon as they start to make high quality movies available for download, what's to stop people from sharing them on Kazaa? "
I thought I had already covered that in my previous post. I guess I can go into a little more detail:
Pay them money, and you can get the video pretty fast. Go through Kazaa, it can take hours, even days for it to come through. In other words, Hollywood actually provides a service.
Secondly, what's to convince me to share a movie? "Dude, if you want the movie, go buy it." I wouldn't have to keep my computer constantly busy to share it. Sharing files on your computer is a chore. It disrupts your net connection, drains on your computer's performance, and it's just not worth it if a reasonably priced alternative is available. The MPAA doesn't even need copy protection (restriction) to make it unattractive to transfer movies. All they need to do make the movie bigger (i.e. higher resolution or less compression) to make it even less attractive to send around. Most'll download a 2-gig movie at 100K/s before I download a 600 meg movie at 15K/s. Those who are willing to trade the files despite the availabilty of that service are over-exerting themselves to save a few measly dolllars.
Third, they could offer streaming. This may or may not be interesting to everybody, but I certainly like the idea of hitting 'ok' to submit my payment, then moments later the movie starts. It sure beats waiting a while to download the video. If they were smart, they'd have a streaming solution that stores to your hard-drive as well for an extra nominal fee.
There it is. There's a business opportunity right there. But Hollywood would rather stop you from doing things that they think is harming sales than take a risk and potentially make more money from you.
Comment removed based on user account deletion
Palladium will not make buffer overflows disappear. They're still going to happen in the code, it's a fact of life, what Palladium would do would be to run the application in an addess space where no other apps can access it; nothing would stop an app from writing to it's own memory.
No form of protection like Palladium can elimate bugs, all it can do it limit their effect, which is what Palladium hopes to accomplish (the way I see it, anyway).
This has been a test. Had this been a real emergency, we would have fled in terror and you would not have been informed.
This is wrong -- Chris Hellwig wants him banned from LKML. Alan Cox, Roman Zippel, Adam Richter, Jeff Garzik, Andrew Morton, and Larry McVoy want not to have him banned (for reasons of free speech and the efficacy of killfiles for those who don't want to hear him), and so far no one's piped up agreeing with Hellwig. It would be correct to say that "a kernel developer" wants to have him banned.
"Palladium is not DRM. Palladium is hardware enforced encryption."
Palladium is a set of digital rights for what processes on your computer will and won't do. Go read the FAQ here and tell me that doesn't sound like DRM.
"No one is forcing you, or will force you to use anything related to Palladium (well maybe your boss, but he's probably a jackass)."
Question: Can you still run Windows 95 in today's world? You can't say yes without saying "as long as I give up a few things...". If you're a Windows user, you are not running Windows 95 or Windows 3.1 comfortably.
"False. Windows XP can phone home for you, or you can do it yourself. Big deal. "
False? You restated his point and said 'false'. Heh. And yes, it is a big deal. MS can not only deny you from using Windows XP, but your computer's existence is dependent on them remaining in business. They'll eventually cancel support for XP (like they did with Win95), and you'll have no option to continue running it. MS has turned Windows into a subscription model without anybody really realizing that.
"That check box clicking thing got you down? Whats wrong with software that offers to keep itself current? On the one hand you say MS sucks for its security problems, and then on other hand when they design software to help reduce exploitability after a compromise is found you freak out. You cant have it both ways."
Narrow view alert! Heh. What if the auto-update dealie is hijacked? What if the update will break something else on your machine? What if you already fixed the vulnerability another way and don't want to potentially add new problems to your machine?
"I have no idea what you are talking about, but its definately not related to Palladium."
DRM cannot work without Palladium. Palladium will give DRM the toolset it needs in order to work. In a sense, Palladium is DRM (or at least it does the same job), and it is very much a concern.
I don't think anything will prevent the MS/Intel/Government/Hollywood/RIAA conglomerate momentum from marching toward forcing use of DRM based media distribution channels in the future.
/.'ers out there...
...What is real interesting is the new emphasis on Digital Rights Management (DRM), Palladium, etc. The slash dotties, EFF pundits, etc. are rightfully up in arms about it, and I certainly agree in principle with a lot of their concerns.
Instead - all you smart
focus on maintaining and growing the vitality of non-DRM based computing by continuing to develop SW and supporting HW solutions.
So - don't waste energy hand wringing yourselves to death over paladium - get off the tracks before that train runs you over. Instead, get on the *other* tracks, and stay focused on the subject of this post.
Of course, we can't be a bunch ostrich's either. Support for EFF/FSF and any other advocacy group aligned w/non-DRM based computing philosophy is still essential so that there is a level playing field for laying those non-DRM computing tracks (to extend my metaphor above)
Below is part of an email I recently sent to a colleague, where I mused on the future of this DRM/palladium crap...
Here is what I think... What DRM and the architectural changes to the PC architecture in order to support it really portend is just another evolutionary change in home computer application. I think this is the point where the PC 'species' branches into two different sub-species. The traditional general purpose computing platform we are used to today, as characterized by a somewhat open, plug'and'play, 'hackable' architecture. And the new 'Digital Entertainment Computer' (call it a 'DEC' - nice homage to the original DEC computers, eh?). MS is still the king of the software world in traditional PC architecture space, although that position will continue to erode (no matter what MS does). More importantly, MS (along w/Intel) is in a position to define and own the proprietary and completely closed system architecture that will define the OS/HAL/UI for DECs using embedded DRM.
The DEC machines will probably be as mysterious as your cable decoder box, much smarter about detecting hacks, with a keyboard and standard PC peripherals attached, so that if you want to, you can stop watching 'Digivision' console (...my term!) and fire up MS Word if you really need to.
In the DRM/DEC world, beyond universal access to basic broadcasting services, I don't care at all how much MS dictates the standards - just like I don't care how television mfgrs and cable companies design their transmission/decoding and viewing devices. After all, you don't have to watch it, you don't have to subscribe, and you don't have to pay for it if you don't want to. The RIAA will finally stop thinking the world is coming to an end. This scenario is still pretty far out - what I'm thinking of here is the ubiquitous family/home entertainment system of the future, where everything gets its feed from a DRM/DEC device.
So - I'm betting on a rosy future for MS, and especially for anyone who gets in front of the wave of technology and enablement services that DRM and DRM media distribution channels will require. I think traditional PC hackers and open architecture advocates have less to fear from MS than they think in this future scenario. My guess is 10 years from now MS will be focused on preserving market share and raking in licensing fees in digital media distribution, subscription, and decoding (the future MS proprietary monopoly, if you will), and less focused on fighting back the open source/free software movement to preserve share in the traditional desk top OS/application market.