Slashdot Mirror

← Back to Stories (view on slashdot.org)

TCPA and Palladium Technical Analysis

Posted by timothy on from the bilingual dept.

An anonymous reader writes "After some months reading TCPA specifications and Palladium information released by Microsoft, I've finished a technical article regarding the two; the scope is technically analyzing what we know on TCPA and Palladium so we can have an objective way to judge how could it really affect us if finally done. You can read it in English or Spanish."

3 of 12 comments (clear)

  1. I'm still wondering by feto · · Score: 2, Insightful

    Even if the article is deep in details, it's stil unclear for me how well free/open-source OS could interoperate with such a design. Since the main issue here will probably be the patents pending, it could mean that you won't perhaps be allowed to run Linux in US or Europe, but will be in countries with more freedom (free, not always as in speach, though).

  2. Re:It's a standard, not an implementation by stanwirth · · Score: 3, Insightful
    That means you have to 'tell' MS when you make your system dual boot and write a GRUB MBR to your boot partition. Tell me that there is no potential for abuse here.

    yup. That's the part that concerns me the most. Not just overwriting your MBR -- what about the potential of the TCPA subsystem in collaboration with the TBB to block your own device drivers written for your own (experimental, read: uncertified) devices? What will this enable CAs to do to smaller electronics firms? Everyone loves it when you can get, say, an optical mouse for a fraction of the cost of the M$ certified one -- and when the cheaper one works with linux. What happens when the insert your new cool device here is probed by the TBB at power-up, prior to boot, and is written off as "device not found" simply because it came from some guy's garage up in San Leandro.

    Sure, it SAYS you can deactivate TBB/TCMA, but can you really? What if half your other devices require it to be activated in order to run at all? Then you'd have to grandfather in your new device as a "legacy" device, in the nomenclature of the spec itself.

    So it's not just a matter of "What will DRM/Palladium/Trusted Computing do to people who write and distribute their own code? Music? Eyewitness reports of police brutality? People who seem to be having a hard time getting dist keys from the CA?" It's more like something that could kill innovative small companies in the computer industry -- you know the ones who design and build third party peripherals that compete with -- oh! Compaq, HP, IBM, Microsoft and Intel! Gee isn't that interesting that they're also the ones drafting the trusted computing standard?

    You know, I'd trust "trusted computing" more if it were coming from the IEEE or IETF. Shoot, even the ISO would be welcome here. The usual suspects for drafting standards seem to be noticable by their absence on this one.

  3. Re:It's a standard, not an implementation by Gerry+Gleason · · Score: 3, Insightful
    Not just overwriting your MBR -- what about the potential of the TCPA subsystem in collaboration with the TBB to block your own device drivers written for your own (experimental, read: uncertified) devices?

    It's a bit unclear (or maybe I didn't completely 'get' that part), how the trusted drivers would be pulled in. I think this would be 99% in the OS and not strictly part of the TCPA. Look at it this way, just what are you going to checksum to make a fingerprint that assures you that the complete OS/driver/configuration set remains unchanged? Even if you manage to do this, you have to allow for it changing, or it is hard to change anything on the system after initial configuration. All this adds up to a situation where either the system is useless, or the controls are relatively easy to circumvent (which is why they need DMCA too). Perhaps more worrysome is the fact that DMCA probably makes it illegal to do any interesting hacking or reverse engineering on a Palladium system.

    I don't find TCPA to be that much of a problem in and of itself. As the article points out, the problem is that it is relatively weak at points, and the privacy issues that you have to trust to the CAs. The really nasty bits are not in the TCPA, but in how it is applied. If your goal is to beef up the security of your corporate network, you should be able to implement the CA yourself, and protect any information exchanged with the CA within your own operations, but if your need is to work with DRM media, I doubt this will be possible.

    Keep in mind that Palladium is still pretty much vaporware, so we don't know how or what it will restrict. It doesn't look like anything can disuade MS from going down this path, and it is likely that the worst of our fears will be realized in the next few years. OTOH, there are bound to be problems with the implementation, and if MS burns themselves badly enough early on, they may just scrap the whole thing. I doubt that though, more likely they will stubornly keep at it until the realize that Linux has gotten ahead of them in market share, and their business is now doomed. At that point, they might even get religion and adopt Open Source as a business model.