Slashdot Mirror
Palladium Changes Name
thelinuxking writes "According to this CNET article, Microsoft has changed the code name of its highly controversial 'trusted' computing platform from 'Palladium' to 'next-generation secure computing base.' Microsoft claims that the name is being changed to reflect the fact that Microsoft is 'embracing this technology in terms of folding it into Windows for the next decade.' Also, an unnamed small firm has claims to the trademark of 'Palladium'. Microsoft denies that they changed the name due to the criticism 'Palladium' has recieved, and released the source code to the core part of the software to show that the software is secure and does what they claim." Notice the PR diversionary tactic: it's being criticized because it does what they claim, not because it doesn't. :)
Try saying that fast ten times in a row?
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
All your next-generation secure computing base are belong to key signer.
If you cannot convince them, confuse them!
"There is no teacher but the enemy."-Mazer Rackham
"Microsoft denies that they changed the name due to the criticism 'Palladium' has recieved, and released the source code to the core part of the software to show that the software is secure and does what they claim."
Released the source to who? I don't remember seeing this anywhere and a little googling comes up with nothing. Seems like you would want to post it to slashdot since open source users are the ones most concerned about the ramifications of pallad... Err next generation secure computing base.
Becasue if you've ever been involved in large-scale IT projects from the early days, you tend to find engineers use their own pet names for them. One sticks, get's used as a codename while the project is in development stages. This usually gets released in initial publicity documents.
On the other hand, given that Exchange 2003 is code-named Titanium, I'd wager that someone's been looking at the periodic table.
I doubt Palladium was ever going to be used as a release name, something boring like MS MyVault...
Secure Computing Base
...and sell them Windows and Office.
The Next Generation
Cyberspace- the final frontier.
These are the voyages of the monopoly: Microsoft.
Its continuing mission- to seek out new life and new civilizations...
graspee
I keep hearing that TCPA is NOT the death of Free software. But how can that be?
Here's how I understand Palladium. It is implemented beginning at the hardware level. The hardware refuses to execute a boot sector that has not been digitally signed. Therefore, only "trusted" boot loaders will work.
From here, the trust is handed to the software, and the trust keeps expanding as more software is loaded. Some future version of Windows, let's call it Windows Secure User eXtensions, or for short, just Windows SUX, would be designed to cooperate with this trust model. The boot sector for WinSUX would be digally signed. So the hardware would load and execute the boot sector.
The boot sector loads an OS kernel from disk, the WinSUX kernel. Now the boot sector will not execute the kernel unless it is digally signed. So once the boot sector checks the signature, it passes control to the loaded kernel. The trust keeps expanding. Once the kernel is in control it can run only digitally signed device drivers, thus ensuring security of the hardware, and that only trusted hardware is used. WinSUX can also only run trusted applications, such as Windows Media Player, thus ensuring DRM. Untrusted applications could be run within a sandbox by WinSUX - with certain API's and raw access to the hardware being off limits. Thus only trusted DVD players, media players, etc. will run. There will be no CD audio rippers, because they, being unsigned and untrusted, won't have access to rip the raw bits from an audio CD.
Just as WinXP requires registration to use, WinSUX can do likewise. But with WinXP there are already numerous hacks to defeat the registration mechanism in WinXP. Not so with WinSUX. If you tamper with the code, you invalidate the digital signature, and the boot loader won't run the OS. Or if you didn't tamper with the kernel, then whatever trusted DLL or application you had to tamper with won't get run by the kernel because it's digital signature will now be invalid.
Being able to trust that WinSUX is trusted also allows Microsoft to ensure things that they cannot ensure today. They really could make WinSUX expire after two years and refuse to run. You could not patch WinSUX in order to continue running the OS you paid for.
So it seems like WinSUX does give security to Microsoft and to Hollywood, but not to the user. There still could be remote root exploits in WinSUX, thus allowing hackers to compromise running systems, steal credit card numbers, deface web pages, plant remote monitoring software, launch remote attacks, etc.
So far my analysis has not mentioned open source. Some would say, "If you don't like Palladium, then don't run WinSUX." But this ignores the fact that Palladium begins at the hardware. In order to run any bootloader, it must be signed.
There is no way that Microsoft is going to sign a bootloader like, say, LILO, the boot loader for Linux, unless it is trusted. Now LILO is open source, and Microsoft could say they will sign a "trusted" version of LILO. That is, if LILO is patched so that it will only execute a digally signed Kernel. So, LILO is patched, it is open source, Microsoft inspects the source, compiles it, and signs it. Now you can use the LILO boot loader and only execute signed Kernels. But all we've done is move the problem. Now I can only run signed Kernels. Maybe major distribution kernels such as SuSE, Red Hat, etc could have signed kernels. But what about Joe User who wants to compile his own kernel? What about developers who compile thirty kernels a day?
Of course, I'm sure Microsoft will find ways to make their own internal kernel developers lives easier. In fact, this becomes one way in which Microsoft can make external OS developers lives more difficult, and give their own developers an advantage.
The fact remains that the only way you're going to get a Kernel signed is if it is trusted. This means inspecting the source to make sure it doesn't have any naughty bits, and promises not to ever execute any other naughty bits. Signing kernels also becomes a new revenue stream for Microsoft.
But some would say: "But Palladium is optional, if you don't like it, just don't use it." Do you really expect me to believe that it will be optional? If it is optional, then all of its benefits completely disappear.
If Palladium were optional, then the following scenario would be possible. Put LILO into boot sector of hard drive. Boot up a specially crafted loader which loads the WinSUX kernel, patches it to bypass its security, and then start execution of the compromised WinSUX operating system. Once a compromised WinSUX can be executed, then all security bets are off. I could compromise its ability to run only signed device drivers. I could compromise its ability NOT to run an MP3 ripper. Compromise its registration mechanism, thus allowing pirated copies of WinSUX. Compromise its ability to quit running when it has reached the expiration date. It would even be possible to compromise WinSUX to allow the reading of material which Microsoft might consider "subversive", such as what you are reading right now.
Does anyone really believe Microsoft would go to so much trouble to ensure security only to turn around and make it optional? Optional means that the entire security of WinSUX and other future versions of Windows could be defeated. (Of course this is true on any non-Palladium hardware, such as a hardware emulation like Virtual PC.)
Let's continue with the analysis of getting open source programs to be "trusted". Maybe Microsoft runs a service where they will inspect another OS kernel to make sure it is trusted, and then they will sign it, so that the trusted LILO will run it. A trusted Linux kernel would have to be trusted not to execute any naughty code. Linux is trusted as long as it does two things: (1) only executes signed LKM's (Linux Kernel Modules), and (2) keeps certain API's off limits to untrusted user space programs. (You'll note that this is just how I previously described WinSUX.)
A Visual Basic programmer could write his own toy programs. But he could never write code that did anything naughty, such as play DVD's. Or he could do so only through secure COM components. System level programming would now become something that only a special "guild" could do. Ditto for device drivers.
Would Microsoft relax these restrictions? If I could run arbitrary LKM's, then all bets are off. I just write a Linux Kernel Module that holds interrupts, wipes memory clean, loads WinSUX, patches it, and then starts the compromised WinSUX running on the hardware. The LILO-Linux-LKM just becomes a means to an end of running compromised patched WinSUX code.
So in short, Palladium cannot be optional. If it were optional, then why bother at all? It guarantees nothing to the user. It only makes guarantees to Microsoft and to Hollywood. By making it optional, then these guarantees disappear.
If Palladium is not optional, then who holds the keys to sign programs? If just anyone can get any arbitrary program signed to run on the hardware, then the entire point of Palladium disappears. (I just need to get a special loader-patcher signed to compromise WinSUX. Or get some other program signed that will run my loader-patcher on the raw hardware.) If only trusted Open Source operating systems can run, then this effectively destroys open source. But Microsoft gets to play the PR game of saying that Open Source is welcome to participate in Palladium.
How can they pull this off? Just require all hardware to implement Palladium in order for it to run WinSUX. Most users will happily buy a computer with WinSUX preloaded. So the public will not understand that by allowing Palladium hardware to become widespread that they have just cemented Microsoft's control over what software that you can run on your computer.
I'll see your senator, and I'll raise you two judges.
"next-generation secure computing base" or, as it is known in-house, "Bend Over(tm)"
Rumagent