Slashdot Mirror
Using Palladium to Secure P2P Networks
user555 writes "The RIAA and MPAA have seen Palladium as a way to prevent piracy. But this article argues that ironically Palladium may actually make P2P piracy more widespread (PDF). They argue that the security features of Palladium could be used to create P2P networks that are more resistant to attacks from content owners."
Looks to me like a cleverly planted story to attempt to stem the tide of ill-will toward the "Next Generation Secure Computing Base," a.k.a. "the lockdown technology formerly known as Palladium."
It's a long read, but i think the conclusion sums it up nicely To thwart piracy the entertainment industry must keep distribution costs high, reduce the size of distribution networks, and (if possible) raise the cost of extracting content. However, if 'trusted computing' mechanisms deliver on their promises, large peer-to-peer distribution networks will be more robust against attack and trading in pirated entertainment will become safer, more reliable, and thus cheaper. Since it will always be possible for some individuals to extract content from the media on which it is stored, future entertainment may be more vulnerable to piracy than before the introduction of 'trusted computing' technologies.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
That, and the authors give away their toadyism to the "content industries" by referring to P2P networks as "peer to peer pirate networks," as if they have no possible legitimate use save to board ships on the high seas, murder the crew, and plunder the vessels.
Another proud carrier of the $rtbl flag
1. MS holds all the keys to Palladium. I'm sure its got backdoors (either because they write insecure code or they intentionally want a back door).
2. The APIs for this will probably be under lock and key. The next Jon Johansen wont have access to the API calls to interface with palladium.
3. Why use palladium when you can use waste or something similar.
The Doormat
If you're not outraged, then you're not paying attention.
First the RIAA IM bombs much of Kazaa, and now they support "trusted" P2P?
1 _m ult_336x280_18k.gif
Why that's like reading [this] Slashdot [article], and finding this ad
http://m2.doubleclick.net/viewad/790463/mrs0300
If a man's character is to be abused there's nobody like a relative to do the business. -Thackeray, William
The DMCA doesn't necessarily keep investigators from circumventing encryption when monitoring alleged pirate networks. Law enforcement can get a judge's approval to violate 17 USC 1201, in a document called a "warrant":
Will I retire or break 10K?
All they need is an offer they can't refuse and Microsoft will get in bed with the RIAA/MPAA and allow them to have priveleged access to Pallidium secured items.
e d()
If you were able to peruse the source code for Longhorn, you'd see function calls like:
__riaa_checkvalid_song()
__mpaa_is_movie_pirat
__xxaa_set_torture_flag()
and so on.
One thing academia can't account for is good old politics and strange bed-fellows.
The content creators are not necessarily the content owners. The flaw in this phrase is the thought that the trusted computing scheme would somehow expand the uses of a computer instead of reducing them.
I always thought that we already had ways of transmitting data securely between two points. How would the introduction of a company owned passport server help the user?
And I agree that hardly anyone will begrudge the content creators for wanting to earn money, but right now you can't hurt the RIAA without also hurting the artists.
Hank! White!
Yeah, until the platforms are set up to not even allow you to run Linux on them, and ISP's won't allow you to connect if you're not using a platform that is recognized as secure.
If the mindset that the RIAA and MPAA currently have had been around in the 60's, and they had their way, really, the personal computer never would have existed at all.
File under 'M' for 'Manic ranting'
hmmm odd, I've never had problems with either of these things on my linux network. Perhaps you can enlighten me as to why this can't be done with secure, effective, and open tools?
The $100 M blockbuster is a fixed cost that can be spread over all of the copies. So if you sell one hundred million copies (considering the global market of ~7 B people, not unreasonable) your cost per copy of media is $1. Now the pirate cost is still low, but in both cases "production cost" tends towards zero.
Now, back to distribution.
Assuming the pirate and the legitimate product have identical distribution and identical production cost, there is still the playback cost to the consumer. I claim that pirate material is MUCH more expensive to playback than legitimate. However, this cost is better measured in hours used than dollars spent.
(1) Pirate CD/VCD media -- often the pirate media simply does not work. If the failure rate is 50%, your $2 pirate metallica disc now costs $4 on average. Now add in the time it took you to bring the disc home, put it in to your cd player, discover it does not work, return to the vendor and buy a new disc. You can save time brining a discman with you, but now you have to carry a discman and spend a minute or two trying to listen to the disc. Suppose 15 minutes of effort here.
(2) Kazaa -- Take five minutes to look for the track you want, take another ten to download. You have spent 15 minutes acquiring a song which may be corrupt. Now burn drop it into winamp or burn it to CDR. Kazaa doesn't have a built in burning tool yet, so add in the cost of Nero -- either in dollars or the time it takes to obtain a pirate copy.
(3) Bittorrent Video -- Take ten minutes to locate a torrent for your video of choice. Note that this video must be a recently released video or otherwise popular in the pirate world. Now take 8 hours to download the video. Spend another half an hour burning it to CD(s) so you can play it.
So in case (1) you pay $4 for the pirate disc plus 15 minutes of your time. In case (2) you still contribute 15 minutes of time, but probably closer to $0.25 for CDR media. In case (3) you spend over eight hours acquiring the media.
Now the class of consumers who have unlimited time or otherwise undervalue their time is limited to those who are either unemployed or employeed beneath some poverty line (in this case, defined for the benefit of this example). While a tiny fraction of thses unemployed consumers are independantly wealthy, we can ignore them. The remaining pirates steal because they cannot afford anything.
Now the digital piracy is not the same as real world piracy. The architypical poor guy who takes a loaf of bread is actually depriving the hard working employed guy of his hard earned meal. In the digital case, the bread is still there, so the hardworking consumer may still benefit despite the theft.
This does not mean that the industry will stop caring about piracy -- after all, the hardworking guy needs a good reason to believe that he should actually pay for his media. But it is clear that it is more efficient for the recording industry to build efficient distribution systems and spend minimal effort complaining about theft.
Okay, in summation:
How to attack a P2P network (aka, find 'em, fake 'em, and kill 'em):
1. Find 'em: Break the confidentiality. If you can sniff the network, and gain access to it, then you can find who has stuff being shared and thus sue them out of existence.
2. Fake 'em: Break the data's integrity. Basically, shove in tons of fake data to piss off other users.
3. Kill 'em: Break the availability of the network. Screw with the protocol, drop packets, generate thousands of fake clients, flood off other clients with search requests.
How to defend a P2P with something like Palladium:
Basically, it breaks down to not letting untrusted clients into your network. Since you can now trust that the hardware is secured, and since every client has to be vouched for in order to get in, you can stop all three of the attacks dead in their tracks. A P2P can be trusted in that other clients it tries to connect to will be able to verify that trust mechanism using the very same secure computing methods that this stuff gives you.
Think of it like this. I trust Bob, so I let Bob connect. Bob trusts Cathy, so I can get a network of trust relationships going. Obviously, somewhere, someone could break that trust chain, but the existence of the trust chain is a new thing that hasn't been implemented yet. Combine it with encryption to prevent sniffing the network or at least make it way too difficult, and I can build a trusted network over which anything can be shared, *and* know that nobody is hacking my clients on either the software or hardware level, such that they can see or send things that they shouldn't.
Find 'em breaks down simply by going through enough nodes to make it impossibly difficult to track down where the hell the data actually is. This is already a nearly solved problem anyway, with stuff like FreeNet's method of ensuring that even the clients don't know what they're sharing.
Fake 'em is broken by the trusted architecture. I can trust, to some degree, anyone on my network because of the chain. I can trust the client isn't doing shit it ain't supposed to be doing. I can trust that the hardware hasn't been modified to some degree. I can revoke clients by breaking the trust links to them or creating an "antitrust" kind of link that other clients might use as well. If someone injects fakes onto the network, I put down that I don't trust them, and voila, that propgates to those who trust me and so on. Creates a closed circle.
Kill 'em is broken by the same trust relationship to some extent. If the client can't get into the network, he can't inject things onto the network. Once someone doesn't trust that client, it finds that nobody trusts him anymore. If someone is attacking via flooding, obviously there's not much you can do except block them down the pipe, but the trust chain lets me tell others on the network that this guy is a jackass and thus they don't trust them either.
And so on.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
The difference is who has control. In the office, the sysadmin deserves to have control over who can run what. At my house on my computers, only I deserve control. I'd better be able to do anything I damn well please on my own equipment. The security policy in Windows XP and Server 2003 lets this happen. Palladium/NGSCB, on the other hand, puts this control in Microsoft's hands. It's their security, not ours. I think "trusted computing" should be me trusting my computer to do what I say, not Microsoft or the *AA's trusting my computer to be crippled enough for their DRM crap. MS's view of "trusted computing" is way off base.
About signing patches, I think Microsoft should make one of Software Update Services' features be automatic signing of patches that the sysadmin has chosen to be installed.
It's an operating system, not a religion.
Couldn't you do this now with an SSL style connection?
force all users to register with a central service (yeah I know central point of failure, but you might also be able to do this in an incremental fashion) that assigns client SSL certificates that are then used in all P2P connections to verify the clients identity.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Simplistic view? In the past, M$ has proven they will lie, cheat, and steal to control their users and to try trapping everyone into using their product. It is like working with Hitler. Making a compromise or alliance with such people is suicide. Just ask Stalin.
What good would "open implementations" of DRM do? Allowing others to control what your computer does with their file/data is the entire point of DRM. When that fails, M$ and the MPAA will create a censorship system under the guise they need to delete infringing files. To do so, a M$ controlled DRM system will need to be in place--to trap everyone into only using M$ systems, and/or to hide the fact they are censoring people.
An open implementation would defeat the entire purpose. An open implementation would not even be good for most of the other purposes touted for DRM. Anyone would be able to counterfeit Eca$h, or copy those secret emails. A trusted third party would be required to control your computer. I will never trust M$, only a fool would.
the author clearly has NO IDEA what palladium is all about. despite microsoft and AMD both releasing enough info publicly at a recent conference to prove that palladium will only allow code that has been audited and paid a hefty signing "protection fee" will be able to run under the new content protection level. (ie: consumer "rights" restricted video and music players/decoders)
palladium has no other uses. its not being designed for that. in fact while your computer is not running rights-restricted code the entire palladium kernel will unload itself and get out of the way of the OS (it'll impact performance due to trapping a lot of common io/dma/page table accesses to prevent breaking the security boundary without a memory bus analyzer).
There are other flaws with this concept, but the main one is that the content being traded over P2P networks will also be DRM-ed into uselessness. In other words, if you're running Palladium (or NGSCSBSDCSN or whatever today's rename is), your machine is producing DRM-crippled MP3s, WMVs, and other files of intereste in this scenario. You can secure-P2P them to anybody you want. Or just e-mail them for that matter. The files won't play on the other end, because the MPAA/RIAA/XXAA already 0wns your box.
Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005
Is there an Anti-palladium/TCPA initiative, either technical or polictical ? By this I mean ..
1)Can we still have programs that would be untouched by Palladium/TCPA ? I hope there are.. and I hope Palladium/TCPA is made to look like a magnanimous waste of time and money. I have half a mind to start a website to brainstorm these ideas.
2) Arent there any polictical people opposed to Palladium ? I really dont trust the politicians, as their political campaigns are funded by these companies.
Here is a good article about how secure palladium/TCPA is and will be. http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
the tighter that you grasp the more consumers will slip through your fingers
seriously this is probably not going to get very far off the ground. It will cause an uproar and having your customers hate you really does not go well for any company. Even if M$ does somehow get this through there hasn't been a security measure that has not been cracked. It willl only be a matter of time.
Suppose I design a new P2P protocol. It includes all the l33t features. SHA1 hashes of each file. Reputation management. End to end encryption. BitTorrent like swarming. Other features to make traffic analysys more difficult. (You can't hack the trusted client, but you can still packet sniff the p2p traffic. So who provided the file?) Etc. etc. features.
Assumption: Let's assume for the moment that Trusted Computing might turn out not to be evil. That is, I, me, anyone can sign an executable. The person who downloads it can authorize it to run trusted, and thus tamper resistant on their computer.
I provide an implementation of my client. Signed and trusted.
Now my protocol design and client really take off. Popular.
My client and design are open. Others want to implement clients in other languages and for other platforms.
Who signs these other new clients to make them trusted? I would assume that I would have to sign these other clients. Or alternately, all clients would have to recognize a certian set of signed clients as being trusted. If My client, Joe's client, and Jane's client are all trusted, then only me, Joe and Jane can build clients. Any other new clients must be signed by me, Joe or Jane, because all existing clients only recognize our three signatures.
I'll see your senator, and I'll raise you two judges.