Microsoft Drops Next-Generation Security Project [updated]

grooveFX points to this CRN article which starts "After a year of tackling the Windows security nightmare, Microsoft has killed its Next-Generation Secure Computing Base (NGSCB) project and later this year plans to detail a revised security plan for Longhorn, the next major version of Windows, company executives said..." grooveFX writes "Glad to see they actually listen to the gripes from the media and users." Update: 05/05 19:13 GMT by T : phil reed writes "Oops. According to this article on Microsoft Watch, Microsoft really isn't giving up on NGSCB (aka 'Palladium') after all. Microsoft spent much of Day 2 of its Windows Hardware Engineering Conference (WinHEC) here refuting a published report claiming the company has axed its Next Generation Secure Computing Base (NGSCB) security technology."

Re:RTFA

[Too+Much+Noise]

actually, no - the software support was not going the way MS wanted it. From the article:

Juarez said the project is being shelved because customers and ISV partners didn't want to rewrite their applications using the NGSCB API set.

So here you have it - customers and partners didn't like it.

Re:A few suggestions

[k4_pacific]

The problem is not all the features. Rather, the problem is that all the features are part of the OS which means that a security hole in some feature gives an attacker kernel level priveleges which is a Bad Thing. They need to go with the Unix model wherein the bulk of the features are in user space and the kernel handles basics like file i/o and scheduling. I mean, come on now, why is the WEB BROWSER part of the OS in Windows? Putting something which parses and displays downloaded documents of unknown origin inside the kernel is just asking for trouble. I think that their desire to destroy Netscape overpowered their common sense in this case.

Re:Palladium

[rburgess3]

This could be the start of "Say something nice about Microsoft day!"

Now now, I wouldn't go quite that far.

How about: "Breathe a huge sigh of relief day"?

NGSCB NOT a security project.

[Hobbex]

Please stop making the mistake of thinking that NGSCB was ever a security project. It is simply the newer name for "Palladium", Microsoft's total lockdown and DRM system to create a "trusted" (by the music industry, not by you) computer.

Microsoft dropping this is good in every way, except that it's ghost will return in other forms for sure...

Re:NGSCB NOT a security project.

[blowdart]

Except it's NOT being dropped according to a WinHEQ talk.

Microsoft-Watch has details,

Microsoft spent much of Day 2 of its Windows Hardware Engineering Conference (WinHEC) here refuting a published report claiming the company has axed its Next Generation Secure Computing Base (NGSCB) security technology. "NGSCB is alive and kicking," said Mario Juarez, a product manager in Microsoft's security and technology business unit.

Who to believe?

Re:Microsoft does what it does best

[carsont]

Whereas legacy systems such as Unix are finding it harder to support newer hardware features such as the NX codes in the latest AMD and Intel chips

Uh, what?

As far as I know, the so-called "NX codes" are just the ability for the MMU to mark a page of memory as non-executable.

Real architectures, such as SPARC, Alpha, and PA-RISC, have had this feature for a long time. It's used in Solaris for the non-executable stack feature, and it's the basis for OpenBSD's W^X feature.

So Intel, AMD, and Microsoft are just catching up to features which platforms you dismiss as "legacy systems" have had for years.

No, Palladium is still very much alive

Interestingly, at the same time as this article pops up in feedreader, I get this link from e-week that refutes the claim. Net: microsoft says palladium is still very much alive.

Re:Ahead of its time

[l33t-gu3lph1t3]

No, not the same. IIRC hardware memory protection used to be a thing that only highend big iron utilized, and AMD's Opteron is the first x86 chip to have it.

Uh...just like WinFS?

[bonch]

Although I imagine knowing Microsoft, the problems were at least as much technical than political, and they just gave up considering it to be "too hard and we can't be arsed", just like WinFS.

This is why people complain about Slashdot's misreporting and falsehoods.

They never "gave up" on WinFS. WinFS is alive and well. All the MS blogs were making fun of the reporting on this--all that changed with WinFS was that some network things were taken out of it, extraneous features not required for it to work but will probably be added as additional downloads through Windows Update anyway.

I love how reality is revised around here when people base their reality on Slashdot headlines. WinFS is alive and well.

Re:Apparently...

[carsont]

Sounds well and good, but I can think of at least two questions: has anyone in the linux community looked into making use of this and, if not, why not?

Real processors (SPARC, PA-RISC, Alpha) have had this same feature for years, and OpenBSD uses it as the basis for the W^X feature, which ensures that no page in a program's memory space will be both writeable and executable.

So if you consider OpenBSD to be part of the "Linux community", then the answer is yes.

Re:You are a moron

[hal2814]

I think not.

Bob != Clippy. Bob was some sort of front end that was on my Packard Bell from the factory. It was a confusing, clunky UI that I promptly removed.

MSDOS != cmd.exe. cmd is a shell, much like bash or tcsh. It is not an OS. There is some DOS compatability left in WinXP from what I hear so I'll concede this point, but I still maintain that I cannot get a good current install of MSDOS (minus Win32) from Microsoft.

I am fully aware that Xenix was never available to end users. Last I heard SCO is keeping the Xenix heritage alive and well, but Microsoft has definately abandoned that project at this point.

Re:A few suggestions

[EddWo]

The web browser is not part of the kernel in Windows. It is just part of the explorer shell which is a user mode process.

Re:Microsoft does what it does best

[Rupert]

IANACPUExpert, but my understanding is that x86 has had a distinction between code and data pages since at least the 80386. I don't know if NX is different from data. Why would you execute something that isn't code?
Anyway, I know Microsoft has never taken advantage of this feature. I'm surprised *BSD (particularly) FreeBSD hasn't.

Spoken too soon?

[seanmcelroy]

An eWeek article located here:

http://www.eweek.com/article2/0,1759,1585363,00. as p

says MS is denying this is true.

Re:YES

[Hobbex]

SE-Linux is linux with a capabilities system added. That is very different from Palladium, which was the addition of tamperproof components to control and provide remote-attestation of the programs running on the computer.

Capabilities are great, and I hope we see them in normal operating systems (not just the likes of EROS) some time. User hostile hardware chips meant to prove to record companies that the DRM software on the machine is not circumvented I hope we never see.

Re:McDonald's hot coffee lawsuit

[simonjester2424]

You know, I don't know why I'm "replying" to this AC, but I am. I'm sick of hereing this meme. The people mentioning it usually aren't aware that the health department had repeatedly asked McDonalds to turn down the temp. of the coffee makers. The coffee makers were set extra hot because you need less coffee grounds that way.