I must have forgotten when they convinced me that Clippy was a Good Thing
You notice they had to get rid of Clippy. People hated him. And let's not forget poor old Bob.
Microsoft is subject to market discipline just like every other company. The only reason they have a monopoly is that they've kept everyone happy enough. If they start doing things to make people unhappy, their monopoly will disappear faster than IBM's did.
I am just wondering how signing all the executables will protect anyone from viruses. Most viruses today are macro or scripted.
First, Palladium doesn't sign all the executables. As the article takes pains to mention, all the old Windows programs will still run. What Palladium does provide is "attestation", meaning that the secure hardware can report a hash of the secure part of the application to a remote server. That server can then decide based on the hash whether to trust the app.
As far as viruses, I think you're right that macro viruses wouldn't be stopped. The one advantage is that the scope of the damage might be limited, as any "sensitive" data on your computer could be encrypted using the Palladium hardware. So you could still get an email virus, but it couldn't access your bank account data.
Where does the article say anything about fees? That seems to be something the poster just made up on his own. I don't see anything in there about developers having to pay license fees to use Palladium. Do you?
It's clear from all of the referenced articles that this technology is so far only being explored with microwave radiation. That has wavelength on the order of centimeters and so we can easily create material with special structures of that size in order to get this peculiar negative effect. That's why the "lenses" are made of copper, etc.
All the talk about light and refraction refers to the microwave bands of the EM spectrum, which are down a bit from the visible light band. The same basic principles of refraction apply, and the left-handed materials show the corresponding paradoxical properties. It's not clear how feasible it will be to construct materials that work like this in optical frequencies. Certainly it will require extremely sophisticated materials engineering.
The earth's climate has fluctuated enormously over the past few hundred thousand years, with ice ages and warm periods. Prior to that, the sun was younger and warmer than it is today. Everything is changing all the time.
The question is, is change bad? If the sun is warming, do we need to take steps to counter the change? Should we devote our efforts to keeping the average temperature of the earth exactly the same as it was in 2003 or 1970 or some other canonical time? Were we living in Nirvana then?
Maybe we should instead change our attitudes towards change. Surely the vast changes in our culture, our technology, and our civilization make a huge impact on our lives. Would anyone say we should freeze these characteristics at a 1970 level? Stop global cultural change?
No, I think in those areas we recognize that change is going to occur. Some may be good and some bad, but we accept that we will have to adapt. Instead of expending enormous efforts in trying to freeze the physical world, let us adopt a similar attitude of flexibility towards changes there as well.
Change will always happen, and the distinction between natural and artificial isn't even philosophically meaningful (since humans are natural). We should develop the technology to deal with change, the strength of character and flexibility to adapt to it. Let us welcome change rather than viewing it as an enemy!
It's obvious if you read the article and the one it links to what the new story line will be - war with the Klingons, including major attacks on Earth. Archer and Enterprise will undoubtedly have to go into action both to reconnoiter, to enlist allies, and where necessary to go into action against the Klingons. This will be the birth of the Federation of Planets.
It's not exactly port scanning as most people think of it. They're looking for web proxy servers, which they can then use to see what web sites are visible to that system.
The only ports they really need to check are 80, 1080, 8080 and maybe a couple of others that are in common use. Then they send an HTTP GET command to try to access some publicly visible system like Yahoo, or maybe the local government home page. If it works, they've found a proxy server. More often they get a 404 or some similar error and they go on to another system.
But I wouldn't think it would make sense to scan a bunch of ports, most people run web proxies on the few listed above.
No, the recent OpenSSL attack was different. That relied on distinguishing messages which failed due to a bad MAC versus bad padding. The timing was slightly different in the two cases. It allowed you to get some portions of a sample message decrypted.
The new attack just looks at how long the RSA decryption takes for carefully chosen values, and determines from that what the RSA secret exponent is, which means the RSA secret key. So this leaks the server's secret key and the server operator loses all of his cryptographic security. It's a much worse break.
However the timing precision needed for the new attack is much tighter thatn for the pad-vs-mac one, so at this point it can only be mounted across a LAN or on a shared-user system.
Paul, what do you think about Microsoft's Palladium initiative and Trusted Computing in general? Will it achieve its goals from the security perspective? Is it only for DRM or are there other ways that you could use it?
DRM will make my computer able to be controlled by someone else. Trusted by someone else, which means control. I
want to control the piece of text you copied and pasted from the e-mail I sent you yesterday. The only way I can do
this is if I can trust your computer to enforce my restrictions. Someone, not you, had the ability to get this software
"trusted". Otherwise you could make your own "trusted" software that violated the restrictions.
The proposed trusted computing systems allow my computer to send a secure hash of the software that I am running to your computer. In this way I can prove to you what program I am running. You can agree to send me a message only if my message-receiving program is one that you trust not to allow cut-and-paste or whatever. But I'm the one who chose to run the program.
This doesn't let you control my computer. Rather, it lets me prove to you some facts about what I am doing, if I so choose. That capability suffices to provide the kind of DRM that people find so threatening.
Why is this so awful? Why is it so bad for me to be able to prove to you what software I'm running? Nobody is forcing me to do so, it's just that you may choose to withhold your data unless I do. Sounds like mutual agreement to me.
Do you want to stop people from making agreements like this? Do you want to make it impossible for one person to prove to another what program he is running? I hope not. I hope you believe in human freedom and that people should be able to decide for themselves what software to run and what technology to use.
" . . . making him, he says, the neighborhood geek in a black culture where adolescents rewarded only athletes and tough guys."
I think this was the reporter's attempt to subtly inform us that McLurkin is black. It adds some interest to the story - probably not many black engineers have won in the past - but he feels awkward coming right out and saying it. The reporter is trying to be cool about it, like, "oh, he's black? I didn't even notice, that's how color-blind I am." But he has to let us know. This lets him do it without admitting that he's doing it.
It's sad to see that this kind of pussy-footing is still necessary for some people.
All these comments claim that the band members are idiots who sign a contract without knowing what's in it. But in the (fake) example in the article, they paid over $100,000 to a lawyer who got them the contract!
How do you explain how they got into such a terrible contract if they paid that much money to their lawyer? This isn't a case of some greenhorns who didn't know anything about what they were signing. They had a very expensive lawyer to advise them. Did the lawyer simply shirk his business ethics? Did he fail to protect his clients' interest?
Or, more likely, is this just a bogus example whose numbers don't add up, intended to stir up anger at the "evil" record companies?
Software that doesn't support DRM will not be able to view these documents, and making software such as open office compatible will be a DMCA violation.
Actually, the DMCA has an explicit provision allowing reverse engineering for compatibility. You can break encryption and everything. It's one of the only exceptions in the DMCA.
It makes the chances of writing an office suite that is compatible with MS Office 2003 almost impossible. I bet the DMCA will make it illegal to reverse engineer the crypto you'll find this new IRM technology uses.
Actually, the DMCA has explicit provisions to allow defeating copyright protection if it is for the purpose of reverse engineering. It's one of the only exceptions there is.
As a result, Wu said, there are fewer than 20 professional-quality albums produced per year in China. This lack of large-scale music production inhibits the entry of talented newcomers.
Unbelievable! Granted China is a poor country, but with their population they must have millions of talented musicians. Yet only 20 professional albums are produced per year. I can't think of a sadder commentary on the effects of universal piracy. Let's hope we don't end up in the same state here in the West.
Few of you have read
the document from Citibank. In the first place, it's not even Citibank! It's Diner's Club, and specifically Diner's Club South Africa, which is suing two customers who refuse to make good on supposed ATM withdrawals. (The withdrawals were made in England while the customers were in South Africa.)
In the second place, the really funny part is that Diner's Club South Africa is trying to force Diner's Club International to produce experts to testify! DCI didn't want to help DCSA to this degree so DCSA is trying to get the courts to force them to help.
But the main point is that the "gag order" reads as follows:
The parties, their legal representative and their experts shall keep confidential all information revealed during the examination and such information shall not be used for any purpose other than the purposes of the Proceedings and the parties shall take all steps necessary to keep such information confidential
This is what Ross Anderson objects to. He agrees that if the DCI experts testify about confidential information regarding the workings of the ATM system, that that should be kept secret. But he doesn't want the secrecy order to be so broad that it would interfere with him and his students publishing data based on publicly available information. He wants to make sure that the secrecy order is drawn to clarify the distinction between information that is available elsewhere and confidential information revealed by the experts.
So when you look at it this way, it's not at all the black and white issue that is being presented here. Neither Diner's Club nor Citibank is seeking a "gag order" to suppress discussion of vulnerabilities. They just want to make sure that confidential testimony by their experts (information which they are contractually bound to keep confidential based on their relationships with others in the financial community) is kept secret. And the only issue is the technical details of how to draft the secrecy order.
In short, it's a tempest in a teapot. Move along, folks. There's really nothing to see here.
Maybe Microsoft would agree to sign a TCPA version of Linux. Then the Linux kernel could be designed so that it couldn't re-flash the ROMs or whatever it is that Microsoft is worried about.
By contrast, Sydney Uni says it knows of one student with a handful of files on a website...
Are you trying to imply that unauthorized file sharing almost never occurs at universities? Don't make me laugh! At least in the United States there are uncounted gigabytes devoted to this activity. Many universities have had problems with network bandwidth due to file sharing. It's a lot more than "one student with a handful of files"! How credible do you hope to be when you make claims like this?
Palladium lets me control how my software will run on your computer. I should consider that a good thing.
However, what isn't stated is that Palladium lets you control how I use my computer. That I do not like.
It doesn't do either one of these things. What it does is to let you prove to me what software you are running, and vice versa. Therefore we can mutually agree on some data exchange only if we know what software is running on the other end to handle the data. Maybe I'll only download my music to you if I know you're running a music client that does DRM. Maybe you'll only let me join your online game if you know I'm running a non-cheating game client.
This is not control. This is informed, mutual agreement of a kind which is impossible in the online world (but routine in the physical world) today.
I remember reading somewhere once that fairuse is actually only available to you if you are able to carry it out, the manufacturers/publishers dont have to provide you with the ability to copy something freely or run/play that copy freely.
I think this is largely true - fair use is a defense to a claim of copyright infringement. So if you made a copy of some data, and the copyright holder sued you, you could defend against the suit by saying that it was fair use. I think you're right that the copyright holder doesn't have to specifically engineer his technology to make sure you can copy it.
I believe this came up in the DeCSS case and the judge decided that the point was moot, because movies are still released on VHS tape and so you can still make fair use of them for commentary, criticism etc. But I don't think this was the deciding issue in the case.
IMHO it is never a good thing to try and suppress, a technology just because you are afraid of what someone might decide to use it for. This is exactly the kind of thinking behind the DMCA, which tries to suppress a vast class of technologies because they could theoretically be used to break other laws.
I think you have made a very good and often overlooked point. People should be free to make their own decisions about the technologies they use. We may not agree with those decisions, and indirectly their decisions may hurt us, like the fact that 90% of computer users choosing Windows makes it hard on us Mac and Linux users. But those are their free choices, and they have reasons for making those choices.
As long as Palladium is not mandated, we should not try to get it suppressed. Let the technology compete in the markets. If people start doing all those "evil" things with it, let other companies compete with them by not putting so many restrictions on the data. Imagine you had a choice between two music subscription services, A which uses Palladium and puts all kinds of DRM restrictions on your music, and B which does not use that kind of technology. But B costs more than A. Now you have a choice, consumers have a choice, and they can decide how much the freedom to manipulate music is worth to them.
Having more choices is good! Palladium opens up a whole new range of techniques for manipulating data that are impossible today. The people who are trying to shut down Palladium are the ones who are trying to take away choices, who are trying to force people to use computers in ways that they approve of. That's not how we should approach the future. The world is a complex place, and the more tools we have to deal with the issues ahead, the better. Palladium is one more tool that gives us new ways to handle data, and it can only increase our flexibility and our options.
In other words, my beef with Paladium is that the security control is set at the level of the creator and not of the user.
But it's the user who gets to decide which creator's program he will buy. Would you really want to buy a word processor which encrypted all your files such that you might lose all your data if your computer died, or if you stopped paying some future license fee, or if the company stopped supporting the product or went out of business?
I can't think of a quicker way for a company to cut its own throat! This would be a massive invitation for competitors to come in and eat its lunch. No sane corporation would do this, and no word processor which worked like this would succeed.
Wasn't there an article on slashdot a while back talking about how someone had defensively patented Palladium-DRM schemes in order to prevent M$ from doing exactly this?
That was cypherpunk "Lucky Green", who said he submitted a patent application on ways to use Palladium for software copy protection. This was after Microsoft publicly told him that not only did they have no plans to do that, they couldn't even think of a way to use the technology for that purpose. Lucky said that he could think of lots of ways, so he'd go ahead and patent them. You can read more about Lucky's plans here.
I haven't heard anything about this lately, and a recent patent office search for applications under Lucky's real name (widely known, his initials are MB) didn't turn up any hits. So I don't know if he actually went through with it or not.
Slashdot Mirror
I must have forgotten when they convinced me that Clippy was a Good Thing
You notice they had to get rid of Clippy. People hated him. And let's not forget poor old Bob.
Microsoft is subject to market discipline just like every other company. The only reason they have a monopoly is that they've kept everyone happy enough. If they start doing things to make people unhappy, their monopoly will disappear faster than IBM's did.
I am just wondering how signing all the executables will protect anyone from viruses. Most viruses today are macro or scripted.
First, Palladium doesn't sign all the executables. As the article takes pains to mention, all the old Windows programs will still run. What Palladium does provide is "attestation", meaning that the secure hardware can report a hash of the secure part of the application to a remote server. That server can then decide based on the hash whether to trust the app.
As far as viruses, I think you're right that macro viruses wouldn't be stopped. The one advantage is that the scope of the damage might be limited, as any "sensitive" data on your computer could be encrypted using the Palladium hardware. So you could still get an email virus, but it couldn't access your bank account data.
Where does the article say anything about fees? That seems to be something the poster just made up on his own. I don't see anything in there about developers having to pay license fees to use Palladium. Do you?
It's clear from all of the referenced articles that this technology is so far only being explored with microwave radiation. That has wavelength on the order of centimeters and so we can easily create material with special structures of that size in order to get this peculiar negative effect. That's why the "lenses" are made of copper, etc.
All the talk about light and refraction refers to the microwave bands of the EM spectrum, which are down a bit from the visible light band. The same basic principles of refraction apply, and the left-handed materials show the corresponding paradoxical properties. It's not clear how feasible it will be to construct materials that work like this in optical frequencies. Certainly it will require extremely sophisticated materials engineering.
Sounds like it's about as contagious as the common cold, except that it's deadly. Not a good combo.
The earth's climate has fluctuated enormously over the past few hundred thousand years, with ice ages and warm periods. Prior to that, the sun was younger and warmer than it is today. Everything is changing all the time.
The question is, is change bad? If the sun is warming, do we need to take steps to counter the change? Should we devote our efforts to keeping the average temperature of the earth exactly the same as it was in 2003 or 1970 or some other canonical time? Were we living in Nirvana then?
Maybe we should instead change our attitudes towards change. Surely the vast changes in our culture, our technology, and our civilization make a huge impact on our lives. Would anyone say we should freeze these characteristics at a 1970 level? Stop global cultural change?
No, I think in those areas we recognize that change is going to occur. Some may be good and some bad, but we accept that we will have to adapt. Instead of expending enormous efforts in trying to freeze the physical world, let us adopt a similar attitude of flexibility towards changes there as well.
Change will always happen, and the distinction between natural and artificial isn't even philosophically meaningful (since humans are natural). We should develop the technology to deal with change, the strength of character and flexibility to adapt to it. Let us welcome change rather than viewing it as an enemy!
It's obvious if you read the article and the one it links to what the new story line will be - war with the Klingons, including major attacks on Earth. Archer and Enterprise will undoubtedly have to go into action both to reconnoiter, to enlist allies, and where necessary to go into action against the Klingons. This will be the birth of the Federation of Planets.
It's not exactly port scanning as most people think of it. They're looking for web proxy servers, which they can then use to see what web sites are visible to that system.
The only ports they really need to check are 80, 1080, 8080 and maybe a couple of others that are in common use. Then they send an HTTP GET command to try to access some publicly visible system like Yahoo, or maybe the local government home page. If it works, they've found a proxy server. More often they get a 404 or some similar error and they go on to another system.
But I wouldn't think it would make sense to scan a bunch of ports, most people run web proxies on the few listed above.
No, the recent OpenSSL attack was different. That relied on distinguishing messages which failed due to a bad MAC versus bad padding. The timing was slightly different in the two cases. It allowed you to get some portions of a sample message decrypted.
The new attack just looks at how long the RSA decryption takes for carefully chosen values, and determines from that what the RSA secret exponent is, which means the RSA secret key. So this leaks the server's secret key and the server operator loses all of his cryptographic security. It's a much worse break.
However the timing precision needed for the new attack is much tighter thatn for the pad-vs-mac one, so at this point it can only be mounted across a LAN or on a shared-user system.
Paul, what do you think about Microsoft's Palladium initiative and Trusted Computing in general? Will it achieve its goals from the security perspective? Is it only for DRM or are there other ways that you could use it?
This doesn't let you control my computer. Rather, it lets me prove to you some facts about what I am doing, if I so choose. That capability suffices to provide the kind of DRM that people find so threatening.
Why is this so awful? Why is it so bad for me to be able to prove to you what software I'm running? Nobody is forcing me to do so, it's just that you may choose to withhold your data unless I do. Sounds like mutual agreement to me.
Do you want to stop people from making agreements like this? Do you want to make it impossible for one person to prove to another what program he is running? I hope not. I hope you believe in human freedom and that people should be able to decide for themselves what software to run and what technology to use.
" . . . making him, he says, the neighborhood geek in a black culture where adolescents rewarded only athletes and tough guys."
I think this was the reporter's attempt to subtly inform us that McLurkin is black. It adds some interest to the story - probably not many black engineers have won in the past - but he feels awkward coming right out and saying it. The reporter is trying to be cool about it, like, "oh, he's black? I didn't even notice, that's how color-blind I am." But he has to let us know. This lets him do it without admitting that he's doing it.
It's sad to see that this kind of pussy-footing is still necessary for some people.
John Anderton! You look like you could use a Guinness right now!
All these comments claim that the band members are idiots who sign a contract without knowing what's in it. But in the (fake) example in the article, they paid over $100,000 to a lawyer who got them the contract!
How do you explain how they got into such a terrible contract if they paid that much money to their lawyer? This isn't a case of some greenhorns who didn't know anything about what they were signing. They had a very expensive lawyer to advise them. Did the lawyer simply shirk his business ethics? Did he fail to protect his clients' interest?
Or, more likely, is this just a bogus example whose numbers don't add up, intended to stir up anger at the "evil" record companies?
Software that doesn't support DRM will not be able to view these documents, and making software such as open office compatible will be a DMCA violation.
Actually, the DMCA has an explicit provision allowing reverse engineering for compatibility. You can break encryption and everything. It's one of the only exceptions in the DMCA.
It makes the chances of writing an office suite that is compatible with MS Office 2003 almost impossible. I bet the DMCA will make it illegal to reverse engineer the crypto you'll find this new IRM technology uses.
Actually, the DMCA has explicit provisions to allow defeating copyright protection if it is for the purpose of reverse engineering. It's one of the only exceptions there is.
Did you see this line?
As a result, Wu said, there are fewer than 20 professional-quality albums produced per year in China. This lack of large-scale music production inhibits the entry of talented newcomers.
Unbelievable! Granted China is a poor country, but with their population they must have millions of talented musicians. Yet only 20 professional albums are produced per year. I can't think of a sadder commentary on the effects of universal piracy. Let's hope we don't end up in the same state here in the West.
In the second place, the really funny part is that Diner's Club South Africa is trying to force Diner's Club International to produce experts to testify! DCI didn't want to help DCSA to this degree so DCSA is trying to get the courts to force them to help.
But the main point is that the "gag order" reads as follows:
This is what Ross Anderson objects to. He agrees that if the DCI experts testify about confidential information regarding the workings of the ATM system, that that should be kept secret. But he doesn't want the secrecy order to be so broad that it would interfere with him and his students publishing data based on publicly available information. He wants to make sure that the secrecy order is drawn to clarify the distinction between information that is available elsewhere and confidential information revealed by the experts.So when you look at it this way, it's not at all the black and white issue that is being presented here. Neither Diner's Club nor Citibank is seeking a "gag order" to suppress discussion of vulnerabilities. They just want to make sure that confidential testimony by their experts (information which they are contractually bound to keep confidential based on their relationships with others in the financial community) is kept secret. And the only issue is the technical details of how to draft the secrecy order.
In short, it's a tempest in a teapot. Move along, folks. There's really nothing to see here.
Maybe Microsoft would agree to sign a TCPA version of Linux. Then the Linux kernel could be designed so that it couldn't re-flash the ROMs or whatever it is that Microsoft is worried about.
By contrast, Sydney Uni says it knows of one student with a handful of files on a website...
Are you trying to imply that unauthorized file sharing almost never occurs at universities? Don't make me laugh! At least in the United States there are uncounted gigabytes devoted to this activity. Many universities have had problems with network bandwidth due to file sharing. It's a lot more than "one student with a handful of files"! How credible do you hope to be when you make claims like this?
Palladium lets me control how my software will run on your computer. I should consider that a good thing.
However, what isn't stated is that Palladium lets you control how I use my computer. That I do not like.
It doesn't do either one of these things. What it does is to let you prove to me what software you are running, and vice versa. Therefore we can mutually agree on some data exchange only if we know what software is running on the other end to handle the data. Maybe I'll only download my music to you if I know you're running a music client that does DRM. Maybe you'll only let me join your online game if you know I'm running a non-cheating game client.
This is not control. This is informed, mutual agreement of a kind which is impossible in the online world (but routine in the physical world) today.
I remember reading somewhere once that fairuse is actually only available to you if you are able to carry it out, the manufacturers/publishers dont have to provide you with the ability to copy something freely or run/play that copy freely.
I think this is largely true - fair use is a defense to a claim of copyright infringement. So if you made a copy of some data, and the copyright holder sued you, you could defend against the suit by saying that it was fair use. I think you're right that the copyright holder doesn't have to specifically engineer his technology to make sure you can copy it.
I believe this came up in the DeCSS case and the judge decided that the point was moot, because movies are still released on VHS tape and so you can still make fair use of them for commentary, criticism etc. But I don't think this was the deciding issue in the case.
IMHO it is never a good thing to try and suppress, a technology just because you are afraid of what someone might decide to use it for. This is exactly the kind of thinking behind the DMCA, which tries to suppress a vast class of technologies because they could theoretically be used to break other laws.
I think you have made a very good and often overlooked point. People should be free to make their own decisions about the technologies they use. We may not agree with those decisions, and indirectly their decisions may hurt us, like the fact that 90% of computer users choosing Windows makes it hard on us Mac and Linux users. But those are their free choices, and they have reasons for making those choices.
As long as Palladium is not mandated, we should not try to get it suppressed. Let the technology compete in the markets. If people start doing all those "evil" things with it, let other companies compete with them by not putting so many restrictions on the data. Imagine you had a choice between two music subscription services, A which uses Palladium and puts all kinds of DRM restrictions on your music, and B which does not use that kind of technology. But B costs more than A. Now you have a choice, consumers have a choice, and they can decide how much the freedom to manipulate music is worth to them.
Having more choices is good! Palladium opens up a whole new range of techniques for manipulating data that are impossible today. The people who are trying to shut down Palladium are the ones who are trying to take away choices, who are trying to force people to use computers in ways that they approve of. That's not how we should approach the future. The world is a complex place, and the more tools we have to deal with the issues ahead, the better. Palladium is one more tool that gives us new ways to handle data, and it can only increase our flexibility and our options.
In other words, my beef with Paladium is that the security control is set at the level of the creator and not of the user.
But it's the user who gets to decide which creator's program he will buy. Would you really want to buy a word processor which encrypted all your files such that you might lose all your data if your computer died, or if you stopped paying some future license fee, or if the company stopped supporting the product or went out of business?
I can't think of a quicker way for a company to cut its own throat! This would be a massive invitation for competitors to come in and eat its lunch. No sane corporation would do this, and no word processor which worked like this would succeed.
Wasn't there an article on slashdot a while back talking about how someone had defensively patented Palladium-DRM schemes in order to prevent M$ from doing exactly this?
That was cypherpunk "Lucky Green", who said he submitted a patent application on ways to use Palladium for software copy protection. This was after Microsoft publicly told him that not only did they have no plans to do that, they couldn't even think of a way to use the technology for that purpose. Lucky said that he could think of lots of ways, so he'd go ahead and patent them. You can read more about Lucky's plans here.
I haven't heard anything about this lately, and a recent patent office search for applications under Lucky's real name (widely known, his initials are MB) didn't turn up any hits. So I don't know if he actually went through with it or not.