Slashdot Mirror
Microsoft Drops Next-Generation Security Project [updated]
grooveFX points to this CRN article which starts "After a year of tackling the Windows security nightmare, Microsoft
has killed its Next-Generation Secure Computing Base (NGSCB)
project and later this year plans to detail a revised security plan for Longhorn,
the next major version of Windows, company executives said..." grooveFX writes "Glad to see they actually listen to the gripes from the media and users." Update: 05/05 19:13 GMT by T : phil reed writes "Oops. According to this article on Microsoft Watch, Microsoft really isn't giving up on NGSCB (aka 'Palladium') after all. Microsoft spent much of Day 2 of its Windows Hardware Engineering Conference (WinHEC) here refuting a published report claiming the company has axed its Next Generation Secure Computing Base (NGSCB) security technology."
If this goes well, they plan to cancel all security projects.
Palladium was too ambitious. It's nice that they're atleast going with memory page protection.
------- "From bored to fanboy in 3.8 asian girls" ----------
So, what does this mean for 'Trusted Computing'?
Isn't NGSCB Palladium?
Surely this is pretty good news and indicates that MS might not be so able to force these kind of security measures on their custimers.
Although I imagine knowing Microsoft, the problems were at least as much technical than political, and they just gave up considering it to be "too hard and we can't be arsed", just like WinFS.
This sig has been deprecated.
I've got a three suggestions for Microsoft on the issue of security:
Like the airlines think Saftey, Saftey, Saftey - Microsoft need to adopt the slogan.. Security Security Security
Simon
Their Next Generation security project was doomed from the start once Lore kidnapped Data and took his place in the landing party.
I watched C-beams glitter in the dark near the Tannhauser gate.
..that the "revised security plan" will make heavy use of the recent advances in obscurity technology.
pi = 3.141592653589793helpimtrappedinauniversefactory7
Microsoft has security projects?
This is Palladium, and it has not been "dropped", only shelved because it was too ambitious. They say they've invested too much on this not take advantage of it.
I'm out of my mind right now, but feel free to leave a message.....
Trusted computing, therefore, facilitates reduction of competition.
Don't blame Durga. I voted for Centauri.
Microsoft also lowered the hardware requireements for longhorn from 2x4ghz procs to a single 1ghz proc, citing the decrease in complexity of drm will free up much of the needed processing power.
I tried for 5 years to come up with a clever sig...only to realize that I am not clever.
What makes you think they are listening. They are presumably publically "killing the project named NGCSB", quietly inventing a new name and happily keep working on that, less publically this time now that they have used the publicity of Palladium/NGCSB to make initial "front door" contacts in the entertainment industry, they know who to expect at the "back door".
The ol' "keep renaming the thing so people don't have a steady label for what they are fighting". The british sellafield->windscale->thorp nuclear shenanigans, the last Palladium->NGCSB namechange, TIA->something-or-other. All the same propaganda trick.
The solution for opponents is to either keep using the old name so that the public latches onto it (everyone still calls it "Sellafield" and, to an extent, "TIA"), or invent your own name and get it to penetrate the public consciousness (much harder, only example I can think of it "Infidel")
What we need is "No Executive" security technology. Even the greatest security tools can be hogswaddled by the pointy hair types.
[/obligitory upper-management jab]
This one gang kept wanting me to join cause I'm pretty good with a bo staff.
Glad to see they actually listen to the gripes from the media and users.
Microsoft doesn't listen to the media and the users, they listen to their shareholders and their finance guys. And they are saying that Windows looks like crap when it comes to security, undermining the credibility of the product, in turn threatening the sales and therefore their dividends.
Microsoft listen to users? bah... If they did, they'd have jumped on the internet bandwagon much earlier. They're going about the whole security thing just like they dealt with TCP/IP and the web: they're thrasing to catch up. And the sad thing is, they probably will sooner than you think...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Microsoft never lets projects really die. They may kill off other companies' projects, but never their own.
What they are doing, as they have done in the past with such flops as Bob, is slowly merge the improvements and features that they planned on delivering in a single project into their whole lineup across the board. As the article says, Longhorn is planned to incorporate this security technology.
While this is by no means a cure-all for the problems that Windows faces, it is a step forward in computing. Whereas legacy systems such as Unix are finding it harder to support newer hardware features such as the NX codes in the latest AMD and Intel chips, the deep corporate partnerships that Microsoft has with these companies allows them to bring such technologies to the public at a faster rate than otherwise possible.
That said, Windows sucks, has sucked, and will continue to suck. Linux shows it up every single time. Not to mention that Linux's security structure is already designed to thwart the exact problems that Microsoft is attempting to stop.
I have been pwned because my
First they cancel WinFS, now the NextGen Security stuff, they just delayed it to 2006 and they just announced the hardware specs that are totally way off. Next thing they cancel is Avalon and they will delay it to december 2006. In the end it will be a minor upgrade such as WinXP was to 2k with some boring new stuff and an ugly new GUI-theme. We've seen this before. This won't stop them from calling it the biggest step since Windows 95. well, nothing to see here. Move along...
;-)
Actually, it's good for the Linux Community that Microsoft keeps making the same mistakes again and again. Ahh..old faithful!
Maybe Miguel will now rethink his very stupid "I'm scared, I'm very scared" quote he made a few days ago...
Can we please get this modded past all the responses that seem to think that NGSCB has something to do with security. NGSCB aka Palladium is/was Microsoft's locked down "trusted" computer project, meant to facilitate DRM. It never had anything to with security save for in name and spin.
This is a good thing of course, but I seriously doubt it means that that Microsoft won't find other ways of sneaking locked down computer on us in the future...
We are getting to the stage where a fair chunk of PCs connected to the Internet are destined to die. It's reasonable to assume that MS has performed a kind of triage: - Home PCs are beyond the reach of any help. Whatever is done is already too late. Home PC users will have to migrate to Linux within 6-12 months or face working without the Internet. - SMEs can be protected with additional work. SMEs need better firewall security and better patching methods. - Most enterprise computing is safe as is. Many data centers will switch away from Windows for cost and reliability issues but the ones that can't will remain faithful Windows clients. So Microsoft has to concentrate on helping the people who can still be saved, namely SMEs that have several PCs behind a shared internet connection. Having seen three of my friends' PCs dead today from Sasser (MSIE rebooting without end, and no way to do anything else on the system), I'm rather sceptical that home computing can be saved.
Sig for sale or rent. One previous user. Inquire within.
Please stop making the mistake of thinking that NGSCB was ever a security project. It is simply the newer name for "Palladium", Microsoft's total lockdown and DRM system to create a "trusted" (by the music industry, not by you) computer.
Microsoft dropping this is good in every way, except that it's ghost will return in other forms for sure...
The witch is dead, but will likely by replaced by an ogre or a kraken.
Don't blame Durga. I voted for Centauri.
In a recent interview with WinEvil.com, Gates confirmed, "Yeah, it [the NGSCB] just wasn't eeeevil enough for us. We've got a history of setting the evilbar pretty high, and our current efforts were "extremely irritating" at best... We're looking for true unadulterated mindbending evil, and we know our customers won't settle for anything less. Give us a chance -- you won't be disappointed."
Gates then proceeded to use a Windows XP CDRom as a prism to magnify his own inner evil until it was focused enough to melt a cute puppy, drawing appreciative applause from the crowd of evildoers. The crowd then had a huge WindowsXP InstallFest and cut off their own testicles in preparation for the comet Zurg's arrival to take them away.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
- WinFS wasn't cancelled. It was scaled back so they could deliver what worked in a reasonable timeframe.
- Microsoft hasn't announced hardware specs. What you're referring to is what a bunch of watchdog folks are GUESSING will be the hardware specs.
- WinXP is much more stable than 2k. If you consider stability a "boring" enhancement, well, I bet you're in the minority.
Yes. I've been trying to get the C++ committee to tighten up that language for years, with little success. It's time to get more serious about this, and apply pressure via ANSI (which is supposed to insure that standards are safe) and the Department of Homeland Security's National Cyber Security Division. Like it or not, we need to go to full subscript checking for anything that could possibly be exploited. The resulting 10-20% performance hit is minor compared to the costs of dealing with these attacks.
I've sent this to the C++ committee:
The Sasser worm exploits a buffer overflow in Microsoft's LSASS service, which is, apparently, written in C++.
Perhaps more weight should be given by the Standards Committee to tightening up C++ and making it a safer language. The Committee has consistently rejected most suggestions which tighten up the language, usually on the grounds that they would impact existing code or prevent some dangerous but valid code from being used.
It is now appropriate to ask ANSI, and the Department of Homeland Security's National Cyber Security Division, to reevaluate the C++ committee's priorities in the light of the documented and substantial damage caused by weak safety features of the language. Whether the committee should be permitted to promulgate unsafe technologies with ANSI approval must be seriously questioned at this point.
That will probably be ineffective. The appropriate forum will probably be Congressional hearings on computer security, which were threatened last year after the SOBIG virus, and are likely to happen this year.
Interestingly, at the same time as this article pops up in feedreader, I get this link from e-week that refutes the claim. Net: microsoft says palladium is still very much alive.
Problem is, people (particularly Windows users) buy features before they buy security.
IMHO that's because Windows users have given up on getting security. B-)
With a choice of an insecure platform with fewer features or an insecure platform with more, of course they'll pick the one with more. Just think: They might actually be able to get something done between crashes, infections, and reinstalls.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"Decrypts MSIL?"
Ahahahaha...have you not heard of the Common Language Specification, which publicly explains to compilers how to produce the intermediate code? We could have Python.NET if we wanted (and it's being worked on).
This isn't exactly some sort of black secret. They published them as open standards. How do you think Mono exists? Any compiler can look at the specs and produce the code.
Sigh...Slashdot sucks these days. The endless Microsoft articles are boring and uninformed. Remember when it was cool tech news?
What's the odds that Microsoft will continue to seek a way to push their concept of trusted computing onto the consumer -- by giving it another new name? Palladium got too much bad PR, so they changed the name. Enough people caught on, so now they are abandoning that name (not the project, for sure).
I was taking one day at a time, but then several days got together and ambushed me. (from a Rhymes with Orange comic)
The fact is that the only way to implement this sort of DRM is through tamper-proof hardware, and even then its not like someone with a camera phone or even a good old small film camera to get a copy of that 'private' email (which is mostly what they are touting its use for). As for music and videos theres the if-i-can-see-it-i-can-copy-it which just cant be stopped, people will tolarate surprisingly low quality. And this isnt rocket science either, most people will be able to defeat these systems, software or hardware. Its not in Microsoft's interest to pursue this unless they want to piss people off or look very stupid when their "virus proof" OS gets hit one week after launch. It was a stupid idea before and it always will be a stupid and hated idea. Im glad they dropped it.
This comment does not represent the views or opinions of the user.
Again, this is why people think Slashdot is a fucking joke when it comes to reporting "tech news." Slashdotters spread these incorrect truths around and they just become true because it's anti-"M$."
:)
WinFS was NOT cancelled. It wasn't even scaled back. They just removed some extraneous network features not required (which will probably be free downloadable updates anyway). But, all the sites like Slashdot completely SPUN it and misreported it. Slashdot is owned by VA Linux, so the agenda is obvious.
All the MSDN blogs were laughing about the reporting on this. And the Slashdot hivemind--that means all you people out there who build your computing mindset based entirely out of Slashdot articles--proves itself ignorant and foolish-looking once again. The rational of us know better.
WinFS is alive and well. MSDN just put a technology showcase video out about it a couple of weeks ago! All they did was decide not to implement some network-specific features in order to focus on getting the core technology done.
This is the second time I've seen WinFS supposedly "cancelled" in this article discussion.
they plan to provide DRM kits to script kiddies so all viruses are signed, and thus acceptable to Windows.
if this is supposed to be a new economy, how come they still want my old fashioned money?
It also would have opened up new markets. It's interesting to note that all of the great innovative periods in human history have been carried on the backs of breaktrhoughs in travel,commerce and communications. Even the lowly canoe can be credited for the rapid westward puch in canada and the US. (Shame about the beaver however). The invention of "coin of the realm" and accounting practices allowed goods to be passed over huge distances even the marco polo trail carried "mail-order" goods.
At present we dont have ways in place for people to watch digital movies and othe rprotected content in ways the the owners are willing to produce or share thier content for. Let's not get into an RIAA riff here. The point is that lots of people do want to "rent" content and watch it and without a secure communication channel they cant.
likewise things like internet voting and commerce trasnactions are held back by the lack of ubiquitous secure channels.
thus while I disliked the implications of NGSC for having control over my machine I would have liked to have had one in myhouse. I'd have two computers. one for my own uses and one for the cases where security outweighed the other issues.
Some drink at the fountain of knowledge. Others just gargle.
Implementing palladium hard will do one thing over night. Many tech savvy Windows users would switch away in a heartbeart. Most if not all of my friends who uses Windows rarely pay for any application they use. They consider it their god given rights do download anything they please. Any hindrance to that would make them switch in notime since they are very reluctant to actually start forking the dough for the applications they use. Bring in all the movies and music they download and they would gladly suffer hell on a commandline to avoid having to pay for the things they use.
Come to think about it, harder and more vigalant enforcement on comercial software is only going to drive these people to open source no matter how they do it. Enforce and people migrate, dont and people dont pay. They are in a tough spot, BSA and ppl.
HTTP/1.1 400
An eWeek article located here:
. as p
http://www.eweek.com/article2/0,1759,1585363,00
says MS is denying this is true.
Be very, very careful what you put into that head, because you will never, ever get it out. -Thomas Cardinal Wolsey
I used to be afraid of what Palladium could do for the computing industry. Many tried to convince me that there was nothing to fear because there was no way in heck Microsoft could ever get anything done right and on time. It appears they were correct. Now it's being pushed back to Longhorn, which is being pushed back to oblivion. Now I'm left wondering what all the fuss was about.
Heck, Microsoft cannot even secure its own "proprietary" gaming console, why did we ever fear that they'd lock down all of our computers?!
If someone says he and his monkey have nothing to hide, they almost certainly do.
I call bullshit.
*How* can NGSCB and Palladium be used to enforce the GPL?
Oh, by tying the source code to a key, which makes it impossible to change the source code and use the same key... but the verification is against the key. By tying the binary to a key, and making it impossible to modify the binary? So, rebuild the binary, and key use is lost.
In other words, these measures *can't* be used to enforce GPL. So much for this tool.
Now, is Palladium a security project? Well, yes, but not for the end user. Indeed, the end user can run the same old trojans, etc. as before. Palladium *will* prevent the trojan from accessing data that has bee "protected", by kicking out the unsuitable software.
It was NEVER meant to secure YOUR stuff -- if you want that, go use GPG, etc. I assume that even MS Outlook must have some integration with GPG! (all of my emails are digitally signed).
Ratboy.
Just another "Cubible(sic) Joe" 2 17 3061
If you dont believe my security statement, just wander on over to securitytracker.com - there are more discovered flaws in the recent past with Linux than with Windows.
a) Despite the increased amount of bundling Microsoft's done over the years, a "Linux distribution flaw" is still awfully different from a "Windows security flaw". A Linux distribution is composed of many, many more lines of code and pieces of software than Windows. If you want to include security problems with Open Office, it's only reasonable to include security problems with MS Office.
b) Local exploits attract attention on Linux. A lot of "exploits" in Linux are local attacks. Local security on a Windows box is pretty much a lost cause.
c) When Microsoft discovers a security problem and fixes it internally, they don't say "fixes a security hole in...". They just bundle it with some other set of fixes and stay quiet. You won't hear about it.
d) MS has a PR department that spins bugs as "issues" and tries to dampen criticism of security. In the open source world, people generally call "bugs" "bugs" (and frequently wishlist items "bugs", which would drive companies with marketers bananas).
e) Many previous Microsoft security holes just wouldn't happen in the *IX world because of the more security-oriented culture (note that I suspect that Microsoft is improving here). MSIE and Outlook grant a lot of power to remote websites to cause execution, to modify bookmark lists, and the like. Windows NT infamously shipped with a blank Administrator password (and no prompt to set one during the install process), all drives shared by default *invisibly* (they were administrative shares, and the only security in place was the fact that Microsoft clients didn't display administrative shares remotely), and automatically reshared drives upon reboot if sharing was turned off on a drive.
f) Microsoft has been known to blame sysadmins for security problems ("Well, yeah, your network was compromised and your data destroyed by the latest virus, but you didn't firewall our systems, and we released a patch a week ago which you should have deployed.") *IX boxes was designed to sit on a network and be fully accessable, and "firewalling to fix implementation flaws" is not an interesting approach to most *IX admins. Plus, most open source contributors *are* sysadmins to some extent.
Want to do some *real* security criticisms of Linux? How about the following:
* Red Hat was trying to set a new golden security standard for Linux by adding SELinux *by default* starting in Fedora Core 2. This would have allowed giving limited access to things to processes (a sore Linux lack), helped make software SELinux-compatible, and paved the road for other distro vendors. Red Hat, after two test releases, finally just backed down on including SELinux enabled by default in FC2, saying that it just caused too many problems at the moment. This represents a loss of a year at least in moving to a much more powerful and secure security system.
* Stack overflow protection mechanisms are still not standard in the Linux world. The only distro vendor that I know of that definitely includes such a patch enabled by default currently is Red Hat with exec-shield. In contrast, *Microsoft* just added stack execution blocking to Windows.
* Filesystem ACL support in Linux today sucks. A lot. A software author cannot rely on filesystem ACLs being present (since they are not by default on most Linux boxes) -- just old-style *IX permissions. One can improvise to get *some* of the ACL functionality by cleverly nesting directories and adding users to extra groups for each directory in question, but most Linux boxes *still* have a 32 group-per-user limit. The *IX permission scheme is simple, fast, and easy-to-audit. However, it is lacking for many users -- there are a lot of sysadmins out there who'd like to be able to say "Anyone in Development can read or write this directory, Mary and all of the Marketing gro
May we never see th