Slashdot Mirror
RMS Urges Opposition to "Trusted Computing"
Andy Tai writes "In this Newsforge article, Richard Stallman analyzes the "Trusted Computing" initiative and Microsoft's Palladium, points out that such initiatives are really means to ensure your computer can be trusted by Microsoft and Hollywood (you can't do things they don't want), and urges computer users to organize, to support the Public Knowledge and the Digital Speech projects and to use their consumer power to block "Trusted Computing" in its tracks."
...RMS made quite a fool of himself at MIT's recent Palladium discussion. Highlights include taking the podium uninvited, having Ron Rivest (the "R" in RSA) tell him to please stay on-topic, and delivering his stock rant under the guise that it was topical.
RMS is a dork. A principled dork, but a dork nonetheless.
Well, the bank has incentive to not screw with you a whole lot. Mainly because of the competition and mainly because the Gov't takes that type of crap very seriously.
MS doesn't have niether competition nor federal mandates preventing computers from being restricted.
How am I supposed to make a point of how Microsoft's intentions are evil (which they clearly are), when I can't find a good example where trusted 'fill in the blank' doesn't work.
Well, start with Paypal, which a lot of people trusted as a bank but then got screwed when Paypal froze their funds. Google for Paypal frozen accounts and you'll find tons of horror stories.
Then move on to the online storage of credit card data, and think back to when CDNow got hacked and all their consumers' credit cards were tossed around to the public.
I'm sure you'll get hundreds of examples here, but come on, you really don't have to think too hard.
What's your damage, Heather?
former student, returned to his Alma Mater and gave a talk on some of the
technical aspects of Microsoft's Palladium project. Brian began the talk with
a quick overview of the goals of the project. He stated that Palladium's
goal was to 'Protect Software from Software'. He went on to enumerate some
of the nightmare scenarios that keep the Palladium team up at night, such as
a virus/trojan that launches something worse than a Denial Of Service (DOS)
attack.
These included:
After this brief introduction, Brian went on to describe a hardware based
software security system that would provide 'Fingertip to eyeball security.'
This system would consist of a hardware Security Support Component (SSC)
chip, a special security kernel called the 'Nexus' and user level security
applications called 'Agents'. Palladium would also require alterations to
the MMU for the curtailing of memory and USB for secure input/output.
Brian admitted that Palladium would offer no protection against DOS
attacks and that Palladium would necessarily include a universal serial
identifier (this
would be provided by the RSA key burned into the SSC chip). He also promised
that Palladium would run unmodified legacy applications and drivers.
Problems surfaced during the end of the talk when Brian began taking
questions. Richard Stallman correctly pointed out that Palladium was being
presented as a way of improving the security of personal computers. Indeed,
according to Brian, this was the focus of Microsoft's Palladium project, but
no where in his talk did he present any solution to the crucial nightmare
scenarios that are supposedly keeping the Palladium team up at night.
Indeed, as was pointed out by Stallman and others, if Palladium would run
unmodified legacy applications, then how could Palladium thwart the legacy
virus/trojans without upgrading Palladium enabled Outlook/IE/IIS?
The truth is Brian was being disingenuous when he described the nightmare
scenarios that motivate the Palladium team. In all honesty, there are only
two nightmare scenarios that are relevant to the Palladium project:
internet
has ushered in the end of there ever ballooning bottom line
holders
to effectively eliminate the fair use rights of the public
With Palladium, Microsoft plans to solve the former by introducing the latter.
To get to the heart of the matter, we have to ask _why_?
Brian says Microsoft is concerned that large copyright holders will refrain
from publishing works in formats compatible with the Windows PC. My theory?
Microsoft sees an opportunity to bolster there own
bottom line. Palladium is meant to do for DRM what
for web services.
By providing the infrastructure, Microsoft hopes the content companies will
write applications and release content only for Palladium enabled systems.
Joe Consumer who wants to listen to the next Brittany Spears album on his
computer will be forced to upgrade to the next release of Windows/DRM. Of
course, it doesn't hurt that Palladium could provide quite a few wrench's to
throw at Microsoft's open source competitors.
Nightmare scenarios indeed!
And what of Microsoft? Remember, I don't use their operating system at home - and to reiterate, I've never paid them for anything, so why should I bow to their dictates, especially since I don't use their product?
I thought that was how the free market was supposed to work, but I guess the market ain't so free now.
This sig no verb.
Trusted CEOs of Enron and WorldCom?
Trusted polititicans?
In general you can trust people if:
- You through personal experience that they are trustworthy.
- You have thoughouly investigated their background.
- They believe the consequences of screwing you over are bad enough that screwing you over is not to their advantage.
- -- OR --
- The consequences to you of being screwed over are worse than the consequences of not trusting that person.
Of course, this doesn't apply to trusted computing, which actually means that your computer doesn't trust you, not that you trust your computer.And remember, if you lend someone $20 and you never see that person again, it was probably worth it.
A legparnasom tele van angolnaval.
Okay, so you have a piece of hardware with a proprietary operating system. So far so good. But now with trusted computing, that system won't load any component that is not signed by a trusted party. It's not about you trusting what you run, but about Microsoft choosing who gets the privilege of writing software for the platform. If Microsoft doesn't like you, for whatever reason, they can just refuse the signature that is needed for your software to load. This is basically where it is headed; it's the one sure way to use your monopoly to crush the competition, in particular open source. Even if some open source developers get Microsoft to approve their program, that signature will be applied to a particular binary release. The users cannot roll their own binary from the sources, because that won't carry the signature of a ``trusted'' certificate. So basically the operating system vendor regains control as the gatekeeper who determines what will run on your machine. What's worse, if the hardware vendors follow suit, then a certificate will be required by an operating system to boot on the hardware. If you are lucky enough to get a signed version of your favorite free kernel, good luck rebuilding it. The developers may be forbidden from giving you the certificate, if they get to d the signing themselves. That key is copyrighted bits, right? Letting everyone have it would be against the DMCA.
Although RMS does arouse some passions within the slashdot community, in this, I believe, he is right.
There is, in English Common Law history, a subject area, called the Enclosures Acts, where vast quantities of land were removed from common use, and awarded to landowners in what was a thinly veiled land grab.
It had justification, of course. Private Ownership was deemed more efficient by those that grabbed the land. Far be it for the government to disagree. The whole idea of common weal ( as in commonwealth) was called The Tragedy of The Commons.It would appear that history is attempting to repeat itself. If computing can be controlled by a trusted source - Who will that trusted source be?
This age old problem, can be solved in a number of ways - a dictatorship, or, a democracy, or...
Not quite trusting my fellow man, I think I would rather do my own choosing. But then, I use GPL'd software. A lot. And your choice will be?
This is progress?
"Wait a minute? I do... and so far it seems to work... BLOODY HELL! How am I supposed to make a point of how Microsoft's intentions are evil (which they clearly are), when I can't find a good example where trusted 'fill in the blank' doesn't work... Anyone??? ?"
I'm puzzled how this is more 'flamebait' than 'interesting'. I think he makes a good point. There's nothing wrong with stopping and asking "Why should I follow the anti-MS stampede?". If you guys knee-jerk against every single thing that MS says or does, then how's anybody going to take you seriously when they do something that's really really bad.
As for my response: The main reason I'm against this is that the wrong problem is getting solved, and the consumers get burned for it. The problem is not that computers need to be restricted so that Hollywood can feel safe with digital content, the problem is that Hollywood needs to learn how to make it in this market.
Hollywood doesn't understand that people are happy to pay for service, but they can't pay until the service is provided. Right now, I could go download a bunch of movies from kazaa. What would that experience be like? Well, I get varying quality, unreliable connections, and it takes hours (sometimes days) to get a movie to come down. Now if I could pay $5 to download a guaranteed high quality movie at a speed of 100KB/s, why would I even care about Kazaa?
If the internet got to the point that p2p could work that fast, then the pressure is on Hollywood to provide a better service. "The first 100 people to buy this movie will also recieve a still from the movie..." or something like that.
PC's and the Internet are marketing opportunities, they are not exploits designed to put Hollywood out of business. If they're not willing to get with the times, then they don't have any reason to get computers regulated with technology like Palladium.
"Derp de derp."
-
Boot-Level Programmer-San Jose
I figured TCPA was just some buzzword I could pick up out of a book if I got the job. I do that all the time. But no: The blurb about "changing the way people see, hear and play" just didn't register.I hope they do call me though. I'll give them a piece of my mind, followed by the URL of my DeCSS mirror.
Now I ask you this: if they're verifying the "system integrity" of a linux box with the TCPA, are they complying with the GPL?
Request your free CD of my piano music.
FACt: everything is politics.
You're more than welcomed to just code in your own little world, do all your work in your own little world, etc. But politics is still involved, whether you choose to ignore it or not, and it still affects you.
RMS realizes this and thus considers politics as integral in any software project.
Palladium is all about politics. Its about the polics of the BSA, the RIAA, and the MPAA conrolling what you do through MS, which will undoubtedly make unholy alliances to please these parties and profit. Palladium is about MS trying to make the GNU/Linux OS an impractical choice for users, as no hardware would run it. MS may say this about technical matters -- i.e., security, virus-prevention, etc etc -- and it is in part; but there is also politics running through the fibers of this idea. Politics is ubiquitous in this Palladium project.
As is predictable, everyone's been more than willing to jump on the "bash RMS" bandwagon. It actually reminds me of the Michael Jordan situation in the NBA. Here's a guy who's done alot for the NBA, alot for his team, and alot for basketball in general, and people are constantly criticizing him for making personal decisions which he had the right to make (i.e., to come out of retirement). Similar thing with RMS.
Many criticize RMS for what he says or where he says it; i.e., mentioning such things in newsgroups or forums which are "not meant for discussing those issues". But the politics of what he talks about is relevant to kernel developers and coders, even if they're too stupid to realize it. RMS is not an extremist. Or, if he is, extremism in defense of liberty is not a bad thing.
social sciences can never use experience to verify their statemen
I don't think this is a question at all - we have to stand against this latest MS evil plan. Not everyone agrees with everything RMS says (though I do think that GPL style free software is a blessing, I'm not against software that's more restrictive - but there needs to be a choice) but on this issue I don't think there can be too many who think he's wrong.
Afterall wasn't it Microsoft who lied in court? Or just last week about the "switcher"? They can't be trusted, it's that simple - they've shown that time and time again.
As for Hollywood, well again why should my computer put the needs and wishes above my own? So I buy a DVD, why can't I play that everywhere? Why can't I create my own player? Who says I shouldn't be able to buy a DVD while on holiday and be able to watch it when I get home? If I save a little money by buying it overseas isn't that my good fortune? Why should a commodity like a DVD have such wide differences between price and terms in different places?
No there are legitimate reasons why I might want to do things that MS/Hollywood want to stop - I don't see why my computer should help them take away MY FREEDOM?
Personally I think it's time we started something like FSF for hardware (FHF if you will) so that we can escape the clutches of "the evil Empire".
What happens next? The PC refuses to run any OS without a Microsoft signature, and we're blocked from reverse engineering it? This seems to be happening already with the Xbox, is this just a test case for the whole PC?!
Perhaps Red Hat should make a PCs, and allow anyone to copy the design. For no other reason than to protect THEIR business model.
There's nothing wrong with stopping and asking "Why should I follow the anti-MS stampede?"
True enough... but using logic like "I trust banks, so why not trust MS" is pure lunacy..
Banks are required (by law) to be FDIC insured. There is none of this "we take no responsibility for your money - if we get robbed, you'll lose it, even if it was our fault" mentality that MS seems to have (read your EULA some time)
If a bank decided (for no reason) to tell you "I'm sorry, I don't feel like giving you your money", they can be shut down, and the officers thrown in jail.
As soon as MS takes some responsibility for their products and services, maybe I'll start to trust them.
The fact the word "trusted" is in this thing means NOTHING. The word is just there as a PR thing, something microsoft set up to make people feel all warm and fuzzy toward them. I could move into your neighborhood and start a program i call the "community trust system" in which you pay me money, and as a result you get to sleep safe at night trusting that my hired thugs will not come smash in your windows... and the fire department, which i have bribed, will actually come to your aid in the case of an unfortunate fire at your house... but that wouldn't have anything to do with either "community" or "trust". It would just be extortion. ..but then, if I also paid off the town newspaper and made sure that all anyone from other sections of town heard about was how great it was that the areas with the Community Trust System had much lower crime, then people on the other side of town would walk away thinking the Community Trust System was something really good.
This is what the RMS bunch never gets. If you let the other side set the language of the debate, they start out with a huge advantage. If you just sit there and LET the debate begin in a mode where "trusted computing" is always being used to describe "computing in which microsoft, not the owner of the box, is the one who has final say-so as to what happens on that box" (or "computing in which the user is not trusted at all".. really, palladium is a complicated concept, and trying to reduce it to one catchphrase is just silly).. and "anti-piracy" is always used for "prevents copying".. and "digital rights management" is always used for "technology which lets providers of copyrighted material limit the manner in which that material is used"..
If you let that happen, you're always at a huge disadvantage, because people who walk into the debate late will hear RMS or whoever saying "and so, Trusted Computing is bad!" and they'll go "wait, Trusted Computing sounds good! huh?"
This is made even worse in this particular case becuase the technical issues are simply beyond the grasp of the average person. Unless you have a pretty decent idea of how a computer works, you can't understand what Palladium does, and it takes quite a while for someone to explain to you what Palladium's effect for the consumer will be. As such, the average person, upon hearing about all this, will be faced with two sides to the debate: Microsoft's version of things, which is incredibly simple and easy to grasp because Microsoft is oversimplifying the truth to the point where it's practically out and out lying, and the Free Software People's version of things, which is disgustingly, disgustingly complex becuase it tells the whole truth, with all its confusing technical details and collateral damage. (Well, and becuase the Free Software People are a large, disorganized, and largely not very eloquent group, whereas Microsoft has everything being written by PR firms, and a large advertising budget.) Who do you think the average person is going to listen to? It seems obvious to me-- they simply won't be able to wrap their heads around what the Free Software People are saying. People may walk away with some vague sense Microsoft may be up to something shady, but they'll assume that even if it gives Microsoft lots of power, Palladium does the things Microsoft says it does (which it doesn't, not effectively), and will just forget about all those "side effects" that they heard about but didn't understand.
For people who spend so much time haggling over hacker vs cracker and the whole "GNU/" thing, it always seems so wierd to me they don't get that one simple thing. The vocabulary of the debate matters.
Remember, always remember: With Trusted Computing, you are not the consumer. You are the product. You are being sold to entertainment companies by Microsoft-- and they are paying Microsoft not in money, but by agreeing to use Microsoft's platform for "digital rights management", and Microsoft benefits in that they get validation for their secure, locked-down stranglehold on every single step within the computer between your fingertips on the keyboard and the rays of light coming out of the monitor. (And, of course, if things turn out the way MS hopes, eventually things will reach the point where your average computer user can't realistically ever switch Palladium off, because if they do there will be too many programs they can't run and too many websites they can't visit.) Of course, if Microsoft ever does secure that degree of control, you can bet the entertainment industries will wind up paying Microsoft a decent amount of money, if nothing else for the licensing to encode and decode into the formats of Microsoft's secure platform..
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
"The project began about four years ago as an epiphany among a small group of Microsoft employees who were working to solve the problem of content protection for online movies."
"The end result is a system with security similar to a closed-architecture system but with the flexibility of the open Windows platform."
And to stir up the pot a bit.
And keep in mind that banks weren't always so trustworthy, and that it has taken centuries of bank failures resulting in economic slowdowns before we have reached the current state of "trust". The first central bank in the US was chartered in 1791. Nationally chartered banks were established in the mid 19th century, to ensure a stable consistent national currency. The current Federal Reserve system was established in 1914. Bank failures during the great depression of the early 1930's resulted in more regulation under the New Deal.
Banks were once not considered trustworthy - hence the tales of old folks with their life's savings hidden under their mattress. The current state of trust in banking institution results from a long painful history of experiments, failures (and lost savings) and government regulation. Banks are perhaps the most regulated and most audited commercial organizations in the country.
Banks have had to earn their trust in ways Microsoft never has (and likely never will)
"dope will get you through times of no money better than money will get you through times of no dope"
It's easy to do so when YOU aren't that bright. He might not be a Jeffersonian speaker (well maybe George Jeffersonian) but he has done more to further OSS than you that's for damn sure. You're lucky he's even around after the shit you constantly heap on the guy.
So he's not eloquent: you can't diminish what he's done.
Stop being such a snot and shut the fsck up. Cut RMS some slack. At least he contributes something of substance where it counts. You? Well it's real easy to be enlightened when you're sitting on YOUR ass on a mountaintop somewhere and all you can contribute are some comments that you hope get modded up.
I got a shitload o karma to burn baby so mod me down and flame as high as possible you unappreciative shits.
</TANTRUM>
Please, please do not use the words "secure application" when what you really mean is "approved application".
What I suspect you really mean is "an application that is doing only what the user intends that application to do". However, that is not necessarily the same as "approved application". (Since software vendors can stick all sorts of cruft and spyware into their "approved" applications) Some Palladium supporters would like everyone to assume that they are the same, and the use of "secure application" supports this confusion.
"Secure application" presumably means, among other things, "an application that is not vulnerable to attempts to make it misbehave". This is also not what "approved application" means.
I wonder - if an approved application contained a buffer overflow or other vulnerability, would it be possible to write a trojan that would operate entirely through that vulnerability as though it were a trusted application? (e.g. a trusted server could be exploited remotely and then the trojan code loaded into memory, running as a thread of the trusted server process) Tricky perhaps, but I've not heard anything that makes me think that Palladium will avoid that scenario.
Most of us had gone there hoping that someone would put Brian on the spot. Even those who are friends would have liked to see how he would cope with a difficult question. Unfortunately RMS did not ask a difficult question, he just went off onto a rant. As a result everyone who followed was making sure that they distanced themselves from RMS.
The way to put someone on the spot in a case like that is not to make the most ridiculous assertion about the other side. Instead you should make the question appear to be as reasonable as possible and design it so that it exposes the unreasonableness of the other person.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Comment removed based on user account deletion
"MS doesn't have niether competition nor federal mandates preventing computers from being restricted."
That sentence should be dragged out into the street and shot.
Too bad that Grammar guy isn't here to point out the tragedy of double negatives, improper spelling, confusing wording, and a run-on sentence all in one! It's like looking at a 16-car accident.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
I find it absolutely comical how self centered _some_ Americans are, to the point that they think the TCPA and related AMERICAN technologies (Palladium, etc.) will be the end of free computing in a global sense.
Do they really think asian/european PC hardware manufacturers are going to radically redesign their products to serve the needs of American capitalism?
Not a chance.
The TCPA may be the end of free computing in America (though I doubt it), but the rest of the world will continue on its merry way.
Get over yourselves!
I apologize in advance to all open minded Americans, you know who you are.