Windows Security GM Talks NGSCB

An article at IT Manager's Journal (along with Slashdot, part of OSDN) reports on John Manferdelli's recent talk at Stanford on what Microsoft is calling for now its "Next Generation Secure Computing Base," or NGSCB (formerly Palladium). Manferdelli is the general manager for Windows security at Microsoft, and his presentation was mostly about the technical, not ethical or other considerations involved in this system. His position is understandably different from those of privacy and free software advocates who assert that Microsoft's elaborate security is designed to lock users into Microsoft software at the expense of privacy and choice.

What it's about:

[iantri]

"Trusted Computing" basically means "you TRUST us, we don't trust you."

A great victory for consumers everywhere.

Re:What it's about:

[hanssprudel]

More accurately it means:

"People who don't trust you can trust your computer to control you."

Re:What it's about:

[IthnkImParanoid]

More like: If you work with us*, we'll trust you.



*"Working with us" is defined as not competing with any of our products and offering appropriate compensation by not working with our competitors and agreeing to only develop only for our latest products, helping us enforce the upgrade cycle.

Re:What it's about:

[garcia]

yup. and it means that they are going to do everything in their power to stop us from having any freedom. That includes forcing us to use a BIOS that will only "trust" their OS and thus render most hardware useless except for Windows.

See more here.

(Please note that this comment mentions that we have to trust them and they don't trust us.)

Re:What it's about:

Who should your computer take its orders from? Most people think their computers should obey them, not obey someone else. With a plan they call "trusted computing," large media corporations (including the movie companies and record companies), together with computer companies such as Microsoft and Intel, are planning to make your computer obey them instead of you. Proprietary programs have included malicious features before, but this plan would make it universal.

Proprietary software means, fundamentally, that you don't control what it does; you can't study the source code, or change it. It's not surprising that clever businessmen find ways to use their control to put you at a disadvantage. Microsoft has done this several times: one version of Windows was designed to report to Microsoft all the software on your hard disk; a recent "security" upgrade in Windows Media Player required users to agree to new restrictions. But Microsoft is not alone:

the KaZaa music-sharing software is designed so that KaZaa's business partner can rent out the use of your computer to their clients. These malicious features are often secret, but even once you know about them it is hard to remove them, since you don't have the source code.

In the past, these were isolated incidents. "Trusted computing" would make it pervasive. "Treacherous computing" is a more appropriate name, because the plan is designed to make sure your computer will systematically disobey you. In fact, it is designed to stop your computer from functioning as a general-purpose computer. Every operation may require explicit permission.

The technical idea underlying treacherous computing is that the computer includes a digital encryption and signature device, and the keys are kept secret from you. (Microsoft's version of this is called "palladium.") Proprietary programs will use this device to control which other programs you can run, which documents or data you can access, and what programs you can pass them to. These programs will continually download new authorization rules through the Internet, and impose those rules automatically on your work. If you don't allow your computer to obtain the new rules periodically from the Internet, some capabilities will automatically cease to function.

Of course, Hollywood and the record companies plan to use treacherous computing for "DRM" (Digital Restrictions Management), so that downloaded videos and music can be played only on one specified computer. Sharing will be entirely impossible, at least using the authorized files that you would get from those companies. You, the public, ought to have both the freedom and the ability to share these things. (I expect that someone will find a way to produce unencrypted versions, and to upload and share them, so DRM will not entirely succeed, but that is no excuse for the system.)

Making sharing impossible is bad enough, but it gets worse. There are plans to use the same facility for email and documents -- resulting in email that disappears in two weeks, or documents that can only be read on the computers in one company.

Imagine if you get an email from your boss telling you to do something that you think is risky; a month later, when it backfires, you can't use the email to show that the decision was not yours. "Getting it in writing" doesn't protect you when the order is written in disappearing ink.

Imagine if you get an email from your boss stating a policy that is illegal or morally outrageous, such as to shred your company's audit documents, or to allow a dangerous threat to your country to move forward unchecked. Today you can send this to a reporter and expose the activity. With treacherous computing, the reporter won't be able to read the document; her computer will refuse to obey her. Treacherous computing becomes a paradise for corruption.

Word processors such as Microsoft Word could use treacherous computing when they save your documents, to make sure no competing word processors can read them. Today we must figur

Re:What it's about:

[gnu-generation-one]

"Trusted Computing" basically means "you TRUST us, we don't trust you."

"Trusted Computing" means that you have to trust it, not that you should trust it, nor that it's trustworthy, nor that it won't abuse that trust.

GNU is trustworthy, Windows is trusted. Big difference.

Re:What it's about:

[DickBreath]

Actually it means that people who do not trust your computer configuration can pass data to you and be confident at some level that it is not exposed.

That is one element of what it is about.

If they can trust the programs on your computer to do what they want, then those programs can also be trusted to control your behavior and actions.


Palladium turns out to be very useful for meeting a real business need which in most cases is completely legitimate. I do not want communications with my lawyers to be disclosed. Confidentiality is in general a good thing, it is occasionally a bad thing.

There is this thing called cryptography that meets the business need you speak of.

The "business need" that Palladium meets is the need to control users behavior, what software they can run, and perhaps most importantly, what software they can NOT run.


But one thing to consider is that the greater the confidence that people have that their communications are secret the greater the probability they will say something in a permenant form that later compromises them.

If you can't stand up for what you say, then don't say it. And please do not run for public office. Let your "yes" mean yes and your "no" mean no. Say what you mean and mean what you say.

Yeah, wonderful thing here. The ability to say something, and then later take it back, knowing that one can trust other users computers to obey.


Where would the world be without corporate whistleblowers?

This is an interesting issue. What whistleblowers are about is someone who is involved or exposed on some level to wrongdoing and then decides to blow the whistle. Palladium will never stop this. Whistleblowing is about one of a bunch of thieves developing a momentary feeling of guilt. I am not aware of any whistleblowers who obtained their information by snooping in information they were not supposed to have access to. Palladium won't stop whistleblowers. It will just stop you from doing things with your computer that Microsoft does not like.

Another MS ploy.

Microsoft is equiping all its people and MCSEs with early version of this stuff along with glossy brochures to hand out to the dumb suits that sign the checks. They won't sell this on technical merit, they're selling it to the PHBs. As always.

If you're forced to install this crap, break it, make sure it doesn't work. That's how we got rid of Exchange and had free software come into our company with just over 4500 people.

Perfect article!

[onyxruby]

It's the perfect article, touches Microsoft, DRM and the evil once known as Palladium! Best of all no one can read the article because it justs links back to slashdot. Everybody can shoot from the hip on this one, because once again the only link in the article wasn't even checked to see if it works. Do stories here get reviewed and selected by a seven line perl script?

Upgrade or "Surreptitiously Copy"?

[josquin00]

Files within the NGSCB architecture will be encrypted with secret coding specific to each PC, making them useless if stolen or surreptitiously copied.

My concern with this would be what happens when you upgrade? How do they differenciate between new hardware and "surreptitiously" copying files to a different system? I remember all of the Office XP Activiation nightmares, and I can't help but think this will turn into a complete fiasco, too.

Re:Upgrade or "Surreptitiously Copy"?

[peragrin]

Actually what scares me most about this is what happens when your motherboard dies, you now have a new pc with the old hardware and no access to your files. Also what happens if you upgrade to longhorn 2010 do you lose access to those files. it is a standard microsoft tatic.

huh?

[larry+bagina]

NGSCB is an operating system kernel within an operating system kernel -- the larger of which will resemble the conventional Windows system. But the other part, which Manferdelli called the "Nexus mode" and said is entirely optional for the user, is the "trusted computing" model that Microsoft, Intel, and organizations such as the Record Industry Association of America are so hot to get the general public to use. Why? Because it will allow only one user per system and per application, and it will be much easier to track music, video, and other entertainment files as they move from retailer to listener.

I hate to break it to you, RIAA, but the problem isn't people re-distributing DRM music from iTMS, Napster 2.0, etc.

repeat after me...

[BubbaTheBarbarian]

Ok, repeat after me...

Every attempt to lock down ID's, every attempt at DRM, every attempt at hardware ID (remeber Intel's great Proc Id idea?) has failed.

Not only has it failed, but the backlash they have caused has made the problem they were to solve worse. True, this is a real threat to peace, love and freedom, but in the end, the consumer decides, and while the unwashed are unwashed, if you piss them off enough, they will find something else, and the tend to find it with a speed that is previsouly to be unthought of (remember Napster?).

Does that preclude us fighting these type of initiatives? No, but at the same time announcing the End Of The World is a bit rash...

What's Next - Scheduled Meetings
Thursdays 2600 GMT

Re:repeat after me...

[GoofyBoy]

>every attempt at DRM,

Not sure if you would consider this as DRM but CD-key which are verified online such as HalfLife or Quake3 are pretty succesful.

Also Windows XP activation would also be considered "succesful enough".

Re:repeat after me...

[slux]

HalfLife didn't check keys in LAN. And I never had problems with Quake3 servers.

It's true that LAN gaming is still there but for many people it has really decreased in significance after internet gaming really took off. I haven't bothered to take my computer to a friend's place in *years* and I believe a lot of people are the same. LAN gaming is really insignificant and with more and more people getting faster connections it will probably become a thing in the past except for huge LAN parties (that will run legal servers).

Why do you think Half-Life sold *millions* of copies? Because everyone had to pay if they wanted to play (online). I see multiplayer games fast becoming the most profitable area of PC gaming industry.

Everyone wanting to play a first person shooter online these days has to buy a copy and back when there still were options (Unreal Tournament) no one voted with their wallet against master server authentication.

And sure, it can be cracked. The problem is, an ISP is never going to run a cracked server and most (good, anyway) servers are run by ISP's. No fun at all if you can only play on select few badly pinging servers with your brand new cracked copy of Half-Life 2.

The way I see it WON, Steam and similar systems really show how easy it will be to get everyone to keep it quiet and do what Microsoft tells them to.

Something Creepy & Point

[Jim_Hawkins]

First of all, this whole Palladium thing sounds pretty scary in terms of computer use and what kind of control a user has on a system.

Anyway...my point...

"All operating systems sustain these same attacks ... it's an industry problem," Manferdelli said. "Microsoft is hit harder simply because we have more systems out in the world."

I have to totally agree with Manferdelli. You hear about Windows problems because that's what people use. Heck, as far as the media is concerned (mainstream, anyway) Windows is the only system of choice out there. Other systems do have bugs. It happens. However, when Windows has a bug, everybody knows about it because it affects just about everybody.

Sealed storage

[Kefaa]

Say anything else, but sealed storage is a simple concept, we control what can be saved. What we need to be concerned with is how they secure it. If sealed storage is at the hardware level, then the "sealed PC" MS has been seeking for years will be a reality.

How can you install Linux, BSD or WinXP if the device itself requires the OS to authenticate? You can't. Sure you may be able to crack a work around, but what company will run software that is in place via crack?

This brings up the next issue, what happens when you replace your box? We have heard of all the fun people have had with XP licensing and system upgrades. Do you get to keep all those MP3s or do they not belong to the box. If you can authenticate on a second box, then you really don't have a secure system using the box.

While MS likes to dismiss these as "we are working on it" they will again be in a position to dictate their use. By the time grandma learns all here files are now secure and she must pay to move them to her new box, it will be too late. This idea that we can somehow wait for MS to figure out a solution in secret that we can all live with is crazed.

If we are going to take a secure machine approach it will need to be a standardized one, open for all to use. I don't think we will see MS jumping to support that concept.

Yes, and No

[Bill,+Shooter+of+Bul]

Granted all systems of non trivial size have bugs, but it would seem that microsoft in integrating so many of its products together have left themselves vunrable for many chain reactions. So each bug in windows can have a much more severe effect than an equivelent one in a different enviorment.

Absurd

[DonkPunch]

Microsoft sells an OS vulnerable to buffer overflow exploits.

The obvious solution for secure computing -- better quality control on their code.

The Microsoft solution -- anything but better quality control. Limit the user's control of the machine. Enact a code-signing scheme. But, whatever you do, don't make us audit millions of lines of our own code.

Trust doesn't enter into it at all...

[Alphanos]

Isn't it more like "you MUST 'trust' us or you cannot access the internet"? That's the eventual goal, anyway.

An interesting propagana technique

[swb]

Manferdelli is the general manager for Windows security at Microsoft, and his presentation was mostly about the technical, not ethical or other considerations involved in this system. His position is understandably different from those of privacy and free software advocates who assert that Microsoft's elaborate security is designed to lock users into Microsoft software at the expense of privacy and choice.

This is a classic example of a propaganda technique. An organization with an goal that is unpopular casts a spokesman as an authority on that goal, but only on a narrowly defined scope. This serves to limit the terms of the debate, as well as to get people to accept tenets of the organizations goals.

In this case, Manferdelli is only an expert on the technical aspects of secure computing. The concept of secure computing is something that a lot of people opposed to Palladium actually accept. It's possible to win converts or at least marshall good PR by getting people to "agree" with Microsoft's technical goals, even when they disagree with the larger implementation and motivation.

This technique is common in totalitarian countries. For example, you may be opposed to Nazi eugenics, but Dr. X, who is only an expert on the medical problems associated with poor breeding, can quickly have you agreeing that birth defects and disease are bad. Once you're that far, why, the overall issues and conclusions of eugenics are much more reasonable and less objectionable.

Overall, this technique works great, and you might even find it in use in your place of work. You limit the scope of debate, removing the things that people really object to, and then get them to agree to things "on their own merits", which makes the overall plan more palatable.

another business model

[b17bmbr]

kudos to microsoft for coming up with another business model. it wasn't enough to force vendors and users to pay for windows, and break all kinds of anti-trust laws. those damn pesky linux cd's still work. and even though they get their $50 or whatever OEM fees, it still isn't the same. now, they've got the perfect strategy, force manufacturers to make hard that can only run windows and nothing else. if you can't beat, beat them over the head. awesome. think i'm going to buy some microsoft stock.

Re:Doomed from the start

[The+Snowman]

I see no reason why human ingenuity is supposed to freeze at the point this technology is released...

I see a reason: DMCA. It won't stop people, but it will chill public disclosure and freedom of speech, as we know from experience. It can stop the knowledge from reaching a critical mass. People who would circumvent DRM and Trusted Computing are a minority, and if the DMCA can keep it that way, we will never reach critical mass and stop DRM and TC.

Re:What it's REALLY about:

[hummer357]

Will we keep our right of private ownership of computers?
Will we keep our right of free use of our Net?

ehm... i think it's grotesque that someone would even think of asking these questions.

i also think that the whole 'Next Generation Secure Computing Base' thing is about who will be pimping who.

some time before we'll get the final version of longhorn stuffed down our throats, msft will probably have decided that it's in everyone's (*) interest to expand the trusted compiting base to the full operating system, and we'll be able to forget about using any software that wasn't okay'ed by msft to run on the system. (= signed code?)

maybe we'll see modchips for regular computers in the future too?

better start stroking the penguin sooner than later!

h357 - paranoia est. 1977

(*) everyone = riaa/mpaa members, msft themselves, anyone who pays premium prices to develop software using msft tool

Wow, you deliberately sabotaged...

...part of your company's computing environment so that you could push your own personal software agenda? Your company's buying software and paying you to install it and you're sabotaging the effort?

Re:No one seems scared by this! I'm terrified.

[aristotle-dude]

How much did that $475 box really cost you? How much is your time worth? Many people hire maids because they are busy and their free time is valuable to them, not because they could not clean their place themselves. What happens when it breaks? No warranty on the entire unit. Good luck on getting warranty replacement on the parts. If you take TCO into consideration and peace of mind/lack of frustration, macs are cheap.