Slashdot Mirror
RMS Urges Opposition to "Trusted Computing"
Andy Tai writes "In this Newsforge article, Richard Stallman analyzes the "Trusted Computing" initiative and Microsoft's Palladium, points out that such initiatives are really means to ensure your computer can be trusted by Microsoft and Hollywood (you can't do things they don't want), and urges computer users to organize, to support the Public Knowledge and the Digital Speech projects and to use their consumer power to block "Trusted Computing" in its tracks."
Ya, just like I 'trust' the banks with my money, and I 'trust' the .... ^H^H^H^H^H^H^H^H^H
Wait a minute? I do... and so far it seems to work... BLOODY HELL! How am I supposed to make a point of how Microsoft's intentions are evil (which they clearly are), when I can't find a good example where trusted 'fill in the blank' doesn't work... Anyone???
---
Programming is like sex... Make one mistake and support it the rest of your life.
...RMS made quite a fool of himself at MIT's recent Palladium discussion. Highlights include taking the podium uninvited, having Ron Rivest (the "R" in RSA) tell him to please stay on-topic, and delivering his stock rant under the guise that it was topical.
RMS is a dork. A principled dork, but a dork nonetheless.
former student, returned to his Alma Mater and gave a talk on some of the
technical aspects of Microsoft's Palladium project. Brian began the talk with
a quick overview of the goals of the project. He stated that Palladium's
goal was to 'Protect Software from Software'. He went on to enumerate some
of the nightmare scenarios that keep the Palladium team up at night, such as
a virus/trojan that launches something worse than a Denial Of Service (DOS)
attack.
These included:
After this brief introduction, Brian went on to describe a hardware based
software security system that would provide 'Fingertip to eyeball security.'
This system would consist of a hardware Security Support Component (SSC)
chip, a special security kernel called the 'Nexus' and user level security
applications called 'Agents'. Palladium would also require alterations to
the MMU for the curtailing of memory and USB for secure input/output.
Brian admitted that Palladium would offer no protection against DOS
attacks and that Palladium would necessarily include a universal serial
identifier (this
would be provided by the RSA key burned into the SSC chip). He also promised
that Palladium would run unmodified legacy applications and drivers.
Problems surfaced during the end of the talk when Brian began taking
questions. Richard Stallman correctly pointed out that Palladium was being
presented as a way of improving the security of personal computers. Indeed,
according to Brian, this was the focus of Microsoft's Palladium project, but
no where in his talk did he present any solution to the crucial nightmare
scenarios that are supposedly keeping the Palladium team up at night.
Indeed, as was pointed out by Stallman and others, if Palladium would run
unmodified legacy applications, then how could Palladium thwart the legacy
virus/trojans without upgrading Palladium enabled Outlook/IE/IIS?
The truth is Brian was being disingenuous when he described the nightmare
scenarios that motivate the Palladium team. In all honesty, there are only
two nightmare scenarios that are relevant to the Palladium project:
internet
has ushered in the end of there ever ballooning bottom line
holders
to effectively eliminate the fair use rights of the public
With Palladium, Microsoft plans to solve the former by introducing the latter.
To get to the heart of the matter, we have to ask _why_?
Brian says Microsoft is concerned that large copyright holders will refrain
from publishing works in formats compatible with the Windows PC. My theory?
Microsoft sees an opportunity to bolster there own
bottom line. Palladium is meant to do for DRM what
for web services.
By providing the infrastructure, Microsoft hopes the content companies will
write applications and release content only for Palladium enabled systems.
Joe Consumer who wants to listen to the next Brittany Spears album on his
computer will be forced to upgrade to the next release of Windows/DRM. Of
course, it doesn't hurt that Palladium could provide quite a few wrench's to
throw at Microsoft's open source competitors.
Nightmare scenarios indeed!
Okay, so you have a piece of hardware with a proprietary operating system. So far so good. But now with trusted computing, that system won't load any component that is not signed by a trusted party. It's not about you trusting what you run, but about Microsoft choosing who gets the privilege of writing software for the platform. If Microsoft doesn't like you, for whatever reason, they can just refuse the signature that is needed for your software to load. This is basically where it is headed; it's the one sure way to use your monopoly to crush the competition, in particular open source. Even if some open source developers get Microsoft to approve their program, that signature will be applied to a particular binary release. The users cannot roll their own binary from the sources, because that won't carry the signature of a ``trusted'' certificate. So basically the operating system vendor regains control as the gatekeeper who determines what will run on your machine. What's worse, if the hardware vendors follow suit, then a certificate will be required by an operating system to boot on the hardware. If you are lucky enough to get a signed version of your favorite free kernel, good luck rebuilding it. The developers may be forbidden from giving you the certificate, if they get to d the signing themselves. That key is copyrighted bits, right? Letting everyone have it would be against the DMCA.
Although RMS does arouse some passions within the slashdot community, in this, I believe, he is right.
There is, in English Common Law history, a subject area, called the Enclosures Acts, where vast quantities of land were removed from common use, and awarded to landowners in what was a thinly veiled land grab.
It had justification, of course. Private Ownership was deemed more efficient by those that grabbed the land. Far be it for the government to disagree. The whole idea of common weal ( as in commonwealth) was called The Tragedy of The Commons.It would appear that history is attempting to repeat itself. If computing can be controlled by a trusted source - Who will that trusted source be?
This age old problem, can be solved in a number of ways - a dictatorship, or, a democracy, or...
Not quite trusting my fellow man, I think I would rather do my own choosing. But then, I use GPL'd software. A lot. And your choice will be?
This is progress?
-
Boot-Level Programmer-San Jose
I figured TCPA was just some buzzword I could pick up out of a book if I got the job. I do that all the time. But no: The blurb about "changing the way people see, hear and play" just didn't register.I hope they do call me though. I'll give them a piece of my mind, followed by the URL of my DeCSS mirror.
Now I ask you this: if they're verifying the "system integrity" of a linux box with the TCPA, are they complying with the GPL?
Request your free CD of my piano music.
Man, I can see DRM and Palladium getting closer every day.
Stallman's examples this time are rather simplistic. His concerns about "DRM", aside from the "I want to be able to shock myself" degree of control he wants for PCs, aren't all they're chalked up to be. Calling it "trecharous computing" makes him sound like a kook, not a serious voice.
To wit:
"Your boss's e-mails will be written in disappearing ink!"
"You won't be able to send incrimiating documents to the press!"
Any corporate system that causes the main focus of communication to automatically expire with no way to retrieve it is a poor business model, not an aspect of trusted computing. Investigative and Corporate preferences aside (after Enron, do you REALLY think that it'd be hard for Congress to slap a "records requirement" on corporations?), someone should be able to mark their e-mails as "archived." And you can always just print out the document...
And, if some company is too paranoid to keep any e-mails and advanced enough to be truly paperless, there's still a digital camera and the on-screen display. Or the simple expediency of calling the cops...
As for the rest--if MS wants Word to be Word-only, more power to them. It'd keep some large usability problems from arising, and quickly tone down word e-mail.
Postscript 2 really irks me. I'm no programmer, but even I can imagine a system where "untrusted" code & docs are run in a "sandbox," where they can't do any real harm and the user can still use them. Given six months of speed increase, the user probably won't even notice the difference between "game on new system's emulated layer" and "game on old system raw."
*sigh*
I don't think this is a question at all - we have to stand against this latest MS evil plan. Not everyone agrees with everything RMS says (though I do think that GPL style free software is a blessing, I'm not against software that's more restrictive - but there needs to be a choice) but on this issue I don't think there can be too many who think he's wrong.
Afterall wasn't it Microsoft who lied in court? Or just last week about the "switcher"? They can't be trusted, it's that simple - they've shown that time and time again.
As for Hollywood, well again why should my computer put the needs and wishes above my own? So I buy a DVD, why can't I play that everywhere? Why can't I create my own player? Who says I shouldn't be able to buy a DVD while on holiday and be able to watch it when I get home? If I save a little money by buying it overseas isn't that my good fortune? Why should a commodity like a DVD have such wide differences between price and terms in different places?
No there are legitimate reasons why I might want to do things that MS/Hollywood want to stop - I don't see why my computer should help them take away MY FREEDOM?
Personally I think it's time we started something like FSF for hardware (FHF if you will) so that we can escape the clutches of "the evil Empire".
What happens next? The PC refuses to run any OS without a Microsoft signature, and we're blocked from reverse engineering it? This seems to be happening already with the Xbox, is this just a test case for the whole PC?!
Perhaps Red Hat should make a PCs, and allow anyone to copy the design. For no other reason than to protect THEIR business model.
Comment removed based on user account deletion
There are people who don't trust banks, thanks in part of the Great Depression. The initial development of a bank was in fact a very questionable idea. Dispersement of funds to each family makes a lot less of a tempting target, especially if (at least during the time period) most everyone had a gun. Or do you not recall the numerous stories of bank robberies? How many of the tellers were allowed to carry guns? Of course, times are different now and with government backing of actual accounts instead of the vague notion of banks themselves has brought some higher assurance of trust with banks. Take this against stark contrast to MS which has been ruled a monopoly and the government is currently still deciding on adequate punishment. Before we can begin to trust MS or its partners, we need a working proof of concept..and then someone we can at least vaguely trust to back them beyond simply other companies (unless you trust profit oriented organizations, solely).
1) The traditional one. This puts the access control of computer resources in the hands of computer owner.
2) The DRM, CP Protection etc: These system wants to take away access control from the owner.
I don't know why the second part is even called "security".
The problem with DRM etc is that once they become more wide spread, someone will provide a method to defeat them. And once defeated, there is no easy way to enable them since the owner doesn't want to enable them! E.g. region code and macrovision disabling in most dvd players. So the only way to implement DRM etc would either be by making it a law and have a very stringent enforcement or don't allow people to buy computers (just allow them to rent only, which will contain license clause that the sytem must be audited, insured at renters expense). Either of the proposition is very expensive.
How does he eat? Open source food (aka foraging)?
Silly comments aside, there are two things that must be balanced, the rights of the copyright holder/content producer and the rights of the consumer.
If the copyright holder/content producer is not protected then the incentive to produce and innovate is greatly reduced. Bills need to be paid, families fed, etc. Those things happen when the commodity (content) is paid for. (e.g. how does RMS eat? He must expect to get paid for some things and I'm sure he wouldn't appreciate it if I collected his assorted writings and published them without recompense to him)
On the other hand, the consumer has certain rights granted when the content is acquired. People must be vigilant to ensure those rights aren't abridged.
RMS needs to moderate himself and find a workable solution in the middle. He smacked of Chicken Little when he started on the treacherous computing and MS Word thing. First they get you with the file format, then next thing you know, "You might be unable to read [your writing] yourself." Yes, there's a good business model for word processor sales - a write only word processor.
That's just one example where his extremism will turn people off. This isn't about black vs white - everyone needs to win here. He certainly sees himself on the moral high ground but what is really needed is a solution for the masses. If he isn't working towards that solution then he is part of the problem, and he'll soon be regarded like that guy found on every college campus, the one standing on some steps somewhere ranting or preaching or something.
> were not intended to protect us from powerful corporations.
Unclear. Government franchises, aka. "Corporations", were well known and widely used to accomplish the evils of government when the Constitution was drafted. They date back quite some way, in fact, where "limited liability" was granted by the Throne to, um, enable, tax collectors maximum ability to collect from deadbeats.
Even today, most local (township/county) tax collectors in the US are NOT a formal part of the government -- even though you "vote" for them. You are, in fact, authorizing nothing more than a G2C relationship. If the Corp loses your payment, EVEN IF THE STEAL IT, you can't protect your home nor sue the Government. Your cause of action is only against the Corp. Been there, and lost, as the Corp was dissolved when another was voted in.
Corporations were then, and still are, the way government distances itself from popular review. Unlike you and I, Corporations are subject only to the rights they are explicitly granted -- not the Constitution. So the Governments can pass a law that says Corps enforce X to their consumers/employees, even if the Constitution would expressly forbid them from passing such a law on you directly.
Why can you save 20-25% of your salary tax free, but only if you work for a Corp? If you don't you're limited to the $3000 IRA max? Unequal application of law is unconstitutional, no?
Fact is, Corps can be directed to enforce law outside the boundries of the Constitution. Their use to that end is pretty much the definition of Fachism.
So, it is the US Government pulling this. That's why they created DMCA and are pushing CBDTPA. Both are, basically, laws on commerce that ultimately impose and enforce a legal framework upon you that could not otherwise be established.
What would be interesting would be a virus or trojan that builds its own layer of "trust".
In order to "trust" an application there has to be some way to ensure another application doesn't disable or modify it. Now imagine a virus exploits a trusted application and is now in the trusted realm. You wouldn't be able to remove it because the MMU is protected at the hardware level. Does this mean that virus scanners must be trusted more than the average stock app or bank app? Or is this the end of automated virus detection.
We can no longer afford the luxury of being apolitical. We must stand up for our principles, not only in word, but in deed as well. That means refusing to create the tools by which we, our families, and our friends will be subjugated.
I trust that all persons with even the slightest shred of honor or dignity will stay well away from this invitation to sell out the rest of their community.
Schwab
Editor, A1-AAA AmeriCaptions
Palladium is not DRM. Palladium is hardware enforced encryption.
Depending on how pedantic you're willing to get, you could say Palladium is "the working name given to some software" and leave it at that. The referenced article, however, deals specifically with DRM as one of the likely uses of Palladium technology so please be willing to make that herculean logical leap when posting.
No one is forcing you, or will force you to use anything related to Palladium
Gee, ya think? Nobody claims that MS is holding a gun to anybody's head, how on earth does that invalidate comments about the program? Nobody held a gun to your head and forced you to read the previous poster's comments, but I see that didn't stop you from replying.
Windows XP can phone home for you, or you can do it yourself. Big deal.
It is a big deal in that it is completely unnecessary with regard to the functionality of the product, and it presumes every install of XP is a criminal act involving pirated software until that transaction is successfully made to the satisfaction of Microsoft.
That check box clicking thing got you down? Whats wrong with software that offers to keep itself current? On the one hand you say MS sucks for its security problems, and then on other hand when they design software to help reduce exploitability after a compromise is found you freak out. You cant have it both ways.
Irrelevant trolling. The issue is not that MS generously wishes to fix the bugs in its software mere months after the are brought to enough people's attention that they can no longer be successfully ignored; the issue is that MS insists on packaging unknown, untrusted (by the user), unrelated malware and asserting insane levels of control in the attached EULA, which one of course must click in order to have the original bugs fixed.
I have no idea what you are talking about, but its definately not related to Palladium
If you don't understand how hardware-enforced encryption to which I do not hold the key running on my machine might be likened to a blackbox, then your statement is more of a personal admission of general confusion than the smart, stinging rhetorical question you probably had in mind.
A simple solution to the DRM debacle is this: The reason that "fair use" came into being concering audio casettes and VCRs was that you could *not* get sonic/video quality equal to the original. With digial copying (i.e. "ripping"), I can "rip" a CD on my machine using 320kbps sample-rates and get sonic quality that's as close to the theoretical "perfect" as I can get. The answer is simple: make it illegal to have software that samples anything higher than 96kbps - that way, you're getting about the same degredation in sonic quality as you would get by recording an LP to Cassette (1st generation signal loss). With that schema, you'd never really need DRM, because you could SONICALLY tell the difference between the original recording and a "ripped" copy.
No. I use the mp3 format to rip hundreds of CDs which I purchased in order to burn them onto CD and listen to them in my car. Your plan penalizes me, allowing me only unlistenably poor copies of music I have already paid for.
You don't care because GNU is not your baby, it's his.
It takes a very great man to see his life's work taken for granted by all without any recognition. In effect Linux has killed the ambition of the GNU project, which was to come up with an alternative Unix system written from scratch.
GNU started with the compiler and the utilities and put the kernel last. This made sense at the time if you wanted a usable system at every point. Linus came along with his kernel and stole the show. Nothing wrong with that but it is true that the community should recognize RMS's contribution. A few do but the majority see him as a crackpot.
He is not. In his place most people would react the same, or worse.
But that is not always possible to enforce.
Consider your average bank branch. The machines are owned and administrated by the bank, but in daily use by employees, who are of variable trustworthiness. 99.9% of bank employees can be trusted, but for that 0.1%, you need mechanisms in place to thwart attempts to introduce foreign software that hasn't been vetted by the site administrator (N.B: the site administrator vets the software, not Micros~1 or the {MP,RI}AA).
For instances where the software needs to be updated, the site administrator has the digital certificate for all the machines under his/her control. After verifying that the software does what is expected, s/he signs the binaries with the certificate and ships them off to be installed site-wide. So legitimate installations happen without incident, and unauthorized installations are made NP-hard.
Schwab
Editor, A1-AAA AmeriCaptions