Slashdot Mirror
Windows Security GM Talks NGSCB (Palladium)
An article at IT Manager's Journal (along with Slashdot, part of OSDN) reports on John Manferdelli's recent talk at Stanford on what Microsoft is calling for now its "Next Generation Secure Computing Base," or NGSCB (formerly Palladium). Manferdelli is the general manager for Windows security at Microsoft, and his presentation was mostly about the technical, not ethical or other considerations involved in this system. His position is understandably different from those of privacy and free software advocates who assert that Microsoft's elaborate security is designed to lock users into Microsoft software at the expense of privacy and choice.
if the article is accurate, MS says the trusted computing feature can be optionally enabled/disabled. glad to hear this. what is more relevant is whether the user will have the option to run certain applications in untrusted mode. i fear that software makers will bind users hands.
smd4985
The bottom line: Do you trust Microsoft? That's ultimately what this is all about.
I don't understand what it is about these technologies and their evangelists that makes it so easy for them to wooll over listeners and analysts eyes. I mean, the author of the article quotes Stallman's and Sulzberger's comments, but they seem to go in one ear and out the rest.
This isn't about whether one trusts Microsoft. People who dislike Palladium and TC are not tinfoil hatters who think that once it is deployed Microsoft will use it to take over the world, or whatever. The bottom line is exactly what Sulzberger says: How much control should users have over their own systems.
Microsoft's representative covers this up in invented technical terms, and talks about "security" and "trust" because those words sound good to the uninitiated, but that is just a smokescreen for the true neature (not a lie - they are upfront about what the system includes, they just spin it so people Chris Preimesberger will miss the point).
The point is this: every piece of "security" and "trust" that can be gained from Palladium is gained by palladium taking away from the user control of his own computer. Once that control is removed, ISPs can "secure" and "trust" that the user has his system configured as they mandate (see the Cisco router story). Microsoft can "secure" and "trust" that their software is licensed and registered. The record companies can "secure" and "trust" that their songs cannot be copied, ALL BECAUSE ULTIMATELY THE COMPUTER, NOT THE USER, IS IN CONTROL!
The question he asked "Does Microsoft have a back door" is stupid. Nobody serious believes that Palladium contains a backdoor so that MS can take over the computer. They believe the point with Palladium's design is that software can be installed with restrictions that the user cannot circumvent, and that people will be forced into installing such software, hostile to themselves, on their own PCs, in order to exchange data and connect to the Internet.
The reported responses from the MS representative give us absolutely no reason to answer "no" to either of Sulzberger's questions, even though the article claims so. In fact, when MS say things like, "We are building a scalable, distributed credential-based security model here," and list features of "attestations with authenticated code that is affiliated with only that particular process" - that is exactly what Sulzberger and Stallman are talking about. The Palladium computer will attest - BEYOND THE USERS CONTROL - whether the computer is running software that is "trusted" by the counterpart and hostile to the user, exactly so that the counterpart can mandate the use of such software (read DRM).
The fact that Microsoft tell us that the code will be open for review gives absolutely no confort. It is not the code, but the very concept of Palladium that is frightening beyond belief. Apparently Microsoft have nothing to fear regarding being open about it, as for some reason so many people cannot seem the grasp the point that Stallman, Sulzberger, and myself scream into the void!
"Trusted Computing"
The term is pure genius, it implies security/safety but doesn't address who is protected from what.
In fact the whole thing seems to be founded on the dubious premise that information (programs/data) can be transferred without transferring complete freedom as to it's use (physically if not legally).
This is patently nonsense.
A case in point is the remarkable lack of electronic money on the planet (like Mondex).
Banks/governments do not trust that real but virtual "cash" can be transacted and stored safely and securely from device A to device B without fear of fraud or loss.
And if you can't do it "safely" with an electronic representation of $0.42 then how can you do it with programs or office documents?
Don't forget that a system is being invented that RELIES on the decryption keys being in the hands of the enemy (that's us by the way) but just too hard to get at.
People have found ways to pull decryption keys directly off the data bus and even out of embedded processors. I see no reason why human ingenuity is supposed to freeze at the point this technology is released, especially if there is a financial incentive to do so.
Also Windows XP activation would also be considered "succesful enough".
They were successful? Oddly, I seem to remember licence keys to corporate/enterprise versions of Windows XP before I could even try and purchase a copy.
This didn't change much with SP1, despite the fact that said master keys were removed.
If you only look at Windows XP Home, it isn't pirated much (due to Windows XP Professional being freely available anywhere). Everyone I knows hate it due to the fact that one has to call Microsoft Support every once in a while.
HalfLife didn't check keys in LAN. And I never had problems with Quake3 servers.
So, I'd have to say they aren't in the very least successful.
Actually it means that people who do not trust your computer configuration can pass data to you and be confident at some level that it is not exposed.
Palladium is no better for DRM copyright enforcement applications than any other hardware technology. The problem with DRM is that it is break once run anywhere. Palladium like any other hardware enforcement system is breakable, the catch is that you have to break a system that is trusted by the sender of the data.
For copyright control you cannot be any more selective about the destination machine than requiring it to be a palladium machine. So it only taks one palladium machine ever to be broken and you are toast.
For control of sensitive company documents the issue is very different. I can configure my systems so that they only deliver sensitive data to specific palladium pcs that I have designated as trusted and to obtain my documents you have to break those specific machines.
There are still people who complain about this sort of thing. Where would the world be without corporate whistleblowers? Pretty much where we are today, there were no shortage of whistleblowers on Enron, Krugman reported repeatedly in the New York Times, few took notice until Enron collapsed and suddenly it was open season, everyone acknowledged that Enron and co had ben ripping off California...
Security is security, you can't expect technology to enforce your particular set of ethical constraints. Palladium turns out to be very useful for meeting a real business need which in most cases is completely legitimate. I do not want communications with my lawyers to be disclosed. Confidentiality is in general a good thing, it is occasionally a bad thing.
But one thing to consider is that the greater the confidence that people have that their communications are secret the greater the probability they will say something in a permenant form that later compromises them. Nixon discovered this. I don't think that security will prevent disclosure of information about criminal activities and frauds.
Take Diebold for example, if they were cluefull enough to have used DRM to control their internal documents they might have been cluefull enough to secure their Web site to stop an attacker from compromiseing their software to rig the vote. What we need in the Diebold case is not internal company memos with incriminating information. What we need is a reliable security audit.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Actually it means that people who do not trust your computer configuration can pass data to you and be confident at some level that it is not exposed.
TO YOU. That it is not exposed _to you_.
Why do the MS apologists always leave out those little important words that make all the difference!
I'm on the Gentoo IRC channel a lot, getting help and giving help when I can. But when I try to bring up the pitfalls of trusted computing, all I get is a 'huh'? or "nah, it will be ok I'm sure".
It's like everyone has their heads in the sand. When the major BIOS makers are going to trusted only computing, where are we going to run our Linux?
Some people say "just buy a Mac". I'm sorry, if I could afford a Mac I would. But since I can't build a brand new Mac for $475 like I did the machine I'm using now, it's going to be a while. And the only reason I built this so cheaply is because I didn't have to pay a Microsoft tax.
I want a machine I can build myself. An OS that I build myself. When I do that, I'M THE ONE WITH CONTROL! Not MS or Dell or Gateway or Pheonix.
"Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
For control of sensitive company documents the issue is very different. I can configure my systems so that they only deliver sensitive data to specific palladium pcs that I have designated as trusted and to obtain my documents you have to break those specific machines.
Really, the internal problem is not much different from the external problem. While it is true that more control exists for internal networks, it again takes a single malicious agent to break the system. Therefore, for things such as securing memos that are sent to 1000 employees, it would still be difficult to find the one that caused the breech.
For more serious security, we already have protocols that seem to work, but might benefit from the type of system that MS is talking about. The benefit, however, is not against malicious attacks, which tend to be covered by existing protocols, but against accidental breeches. For instance, if the system is set up so only secure local computers can be hooked up to critical parts of the network, then it would not be possible for someone to accidently hook up their home computer the office network. It might still fail against a purposeful attack, but the benefit still exists.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Windows XP activation would also be considered "succesful enough".
I have no experience with XP activation. Part of the reason is because I do have experience with Office 2k activation. We upgraded from Office 97 to Office 2K. At first, activation was simple; with an "always-on" DSL connection, it hit the 'net, activated automatically and everything was cool.
However, after Office XP was relaesed, this was no longer the case. Error messages said server too busy right now, try later. They said this many, many times, day or night, whatever (get the picture, they would never be not busy). We had bought 3 extra copies of O2K because we didn't want to have to upgrade to OXP and have 2 versions of Office running around. This activation hassle was the case with all 3 copies that had never been cracked AND with 2 copies on machines that died and required re-activation. Microsoft promised that this would not be the case.
So it was successful alright; it forced me to locate a copy of their Office 2K Corporate edition and skip all this activation crap. We still own the O2K originals and they are locked away in case the software gestapo ever shows up at our door BUT I do not have time to spend 15-20 minutes, repeatedly, on the phone to use software that we bought and paid for!
Now, Microsoft promised that this was not going to be a forced upgrade tool. They promised that I would be able to upgrade my machines 2 times without having to justify re-activation. And they broke that promise! Why the hell should I believe them about their damned NGSCB now?
The last line says it all:
The bottom line: Do you trust Microsoft? That's ultimately what this is all about.
Let's take this apart:
do not really completely control their computer. They run a Microsoft OS...
Quite true - those who run an MS OS have very little control over what their machine does. They don't have the source, so they can't fix the bugs, and their machine is constantly prone to virus infection.
In general, it is hard to get any Microsoft system to do what you want.
Nothing new, this has been the case for quite some time...
But some folk actually have pretty good control of their computers.
Translation: some folks use Linux.
Palladium is designed to ensure the continuation of the situation for most users, and to prevent the sale and use of computers which can be controlled by the user.
Translation: Party's over folks. We're going to make it so that you can't install Linux, because we don't like it. I really can't say enough about how evil this is: they want to take control of a person's PC away from the owner?! Consider what kind of mindset would want complete control over someone else...
Some features Microsoft will introduce in the future:
This is evil, pure and simple. It's not merely designed to stop copyright infringement - this is designed to force anyone who uses a PC to pay annual or monthly subscription fees to Microsoft.
Yeah, I know. But what should we expect from a convicted felon?
I guarantee I will not buy a Palladium equipped PC. I'm serious - I'll start building my own from processor and circuit board if I have to.
The society for a thought-free internet welcomes you.
"The internet is great but it suffers from being based around the notion of naive trust instead of verifiable, secure trust. While this worked in the eary days of the internet, it simply does not work now."
"Simply put, the internet is no longer a hobby. It is quickly becoming as important a part of our infrastructure as electricity and roads, to name a few."
Indeed. That's why my telephone will not allow me to dial someone while it registers that I'm playing music in the background. It's also why all my mail is opened by the post office to ensure I'm not shipping any copyrighted material in it, and why my electricity shuts off when I try to use it to play a CD I've borrowed from a friend. And why my car will shut down if I go over the speed limit.
Oh, wait, that's not at all how it works, is it?
Secure, verifiable trust has never been part of our infrastructure, and the internet does not increase the need for it.
Communication over the internet is not secure, but then neither is any other form of communication wether by mail, fax, phone or physical delivery, unless you take certain steps to ensure it is.
Isn't that like finding someone who's homeless and giving them the title of National Economic Advisor? Isn't it like the NTSB giving Firestone an exemplary safety award?
Windows Server 2003 is a small step in the right direction, except it's 10 years late. [by the way - I LOVE the caption on the Windows 2003 page - I initially misread it as "do less with more".
I like to tell users the reason they are paying me $xxx to repair their computer is because Microsoft was busy working on Clippy instead of fixing the mess they call "Content Zones" in IE/OE. In all fairness, if users would "just keep up to date on their patches" then this wouldn't be (as much of) an issue...
And this is Microsoft's fatal flaw: They look at computers/software completely differently than the typical user.
Microsoft: Install the OS, update drivers occasionally, Check for system security fixes daily, and upgrade when a new OS comes out.
Typical User: OK, this envelope thing with the blue recycle signs around it is what I have to click to get mail, right?
(most) People want to use computers like any other appliance: their vcr, tv, radio -- they don't want to schedule updates and check for vulnerabilities and install firewalls -- they just want it to work.
As long as Microsoft (or ANY admin, for that matter) depends on the end-user to secure their equipment, they will be sorely disappointed.
I was told that I could listen to the radio at a reasonable volume from nine to eleven...
This has already happened. About 4 years ago, my college was re-imaging a bunch of Compaq servers with Windows NT when half of them suddenly died.
Turns out, the servers were sold when Compaq still sold a version of Windows NT, at prices considerably more expensive that Microsoft. To keep people from buying the machines without an OS and installing their own, the BIOS detected the OS, and if it was not a signed, Compaq-built copy of Windows NT, it refused to load it.
Fortunately, we had a support contract with Compaq, and we were able to flash the BIOS'es of the affected machines. But this was before the DMCA - today, flashing the BIOS to install an operating system of choice would be illegal.
We stopped buying Compaq machines shortly after that...
The society for a thought-free internet welcomes you.
be problematic to NGSCB. I mean if VMWare is installed, and is able to isolate the OS from the hardware, it would seem a reasonable avenue for attacking any 'secure' environment created on top of an OS that supposedly bases its security/drm on the uniqueness of the platform on which it's running. One of the main selling points of VMWare is to present a uniform platform to the OS.
If you're allowed to...might have to download the "Windows secure BIOS update tool" and only be allowed to flash "trusted" BIOS images
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
If you don't read that closely, it might look like he's talking about how viruses and worms reduce many people's control over their computer. But he's really saying that Microsoft wants to ensure that everyone doesn't really control their computer.
What's not clear? He all but says that Microsoft wants to control your computer to stop you from copying songs - and, I assume, software.
Really, I was expecting something at least a little subtle.
Human/Ranger/Zangband
Not sure if you would consider this as DRM but CD-key which are verified online such as HalfLife or Quake3 are pretty succesful.
Not that I share the grandparents optimism, but this isn't DRM. What it has done is basically changed from charging for a copy of the game, to charging for being able to connect to online game servers (you don't need DRM to charge for accounts).
Of course, it only works because the server operators play along. If I were a server operator, I would think if I'm controlling that players are paying for accounts, then I should have some of the money - but that is just me...
Short story. My roommate and I were ripping our cds a couple of years ago. I used an mp3 ripper he used windows media player. 1 month after his hard drive died. great all he has to do s restore his music files from backups on cd right. nope he never disabled DRM so the files and all 14 wma disks(yes that's right nearly 10 gigs and they are all legit christian music) were useless the drm wouldn't play cause it wasn't the same computer. So much for DRM
i thought once I was found, but it was only a dream.