Questions for a Lecture on Microsoft's Palladium? 612
An anonymous reader asks: "Microsoft is going to be giving a lecture on Palladium
for my Computer and Network Security class at MIT this Thursday. We're told that it's going to be the most technically detailed lecture publically given to date, and that we should be armed with questions as a result. Any suggestions from the Slashdot crowd? What technical details have you been dying to know about Palladium?" It would be interesting to hear back from someone who is planning on attending this. For those who wish they were, but can't for one reason or another, what would you have asked by proxy?
What's in it for consumers? (Score:5, Insightful)
Ask them how it'll help you... (Score:5, Insightful)
The biggest question in my mind on Palladium is how it's supposed to help users. Why we're supposed to use it, instead of just keeping on using our old Palladium-free computers.
Why is Palladium Needed? (Score:5, Insightful)
And how does "trust" have anything to do with Palladium. Palladium is a system of control, not of trust.
Ramifications for Independent Content (Score:5, Insightful)
The only way I can see it possible to effectively implement DRM is to require computers to not play any digital content that does not have a valid encrypted signature, as provided by the various media companies, and/or Microsoft and Intel.
My main concern, is that independent producers/composers/moviemakers will be locked out of distributing digital content, because the companies involved in Palladium, and other DRM schemes, can choose to withhold issuing these encrypted signatures to them, therefore rendering their content unplayable on Palladium-enabled systems.
I feel, as a copyright owner, and musician, that this infringes upon my rights to distribute my work signature-free, for anyone to be able to play. I do not want a special tag on my releases telling people this is official. I would just like to see my stuff "out there". Therefore, this infringes upon my right to the "pursuit of happiness", as ordained by the constitution.
Anyone else have thoughts?
Optional (Score:5, Insightful)
Could you ask them what "optional" means for me?
Please note the presence of any lawyers.
-Peter
My question is... (Score:5, Insightful)
Secure Palladium? (Score:5, Insightful)
Hmmm.. On that note, maybe Palladium is a preview to Microsoft Silver?
Re:What's in it for consumers? (Score:3, Insightful)
Re:An obvious question from the /. crowd (Score:5, Insightful)
Go even more general than this, so you don't even have to bring up competition:
How can user written software run on a 'trusted' system?
Embarras MS or educate audience - a win-win (Score:5, Insightful)
1. If you turn it off - as MS claims they're going to allow - will the system then appear to apps, content & the network as "a Palladium PC with Palladium turned off" or as a non-Palladium PC? (Hint: it's the former.)
2. Will I still be able to flash my BIOS? *All* of it? replace it completely? (Assuming TCPA hardware, they're lying if they say 'yes'.)
3. Why would I want to buy this, if I'm not interested in Hollywood movies but do want complete control over my computer?
Demand? (Score:4, Insightful)
Editorial - I can see people moving in droves back to high-quality analog video and audio editing as a result of DRM technology being forced upon consumers. The whole point of a fast digital computer is to rapidly and conveniently manipulate digital data regardless of the format on a single machine, so any restrictions on doing so is a step back towards single-use analog or simple digital circuits.
Don't they SEE what they're doing in the big picture? The day a personal computer won't compute what you want it to compute is the day you switch to something that will, plain and simple. They're playing with nothing less than the death of the general purpose processor.
Microsoft is listening (Score:4, Insightful)
Just something to keep in mind
Re:Second post! (Score:4, Insightful)
Since Brian LaMacchia was an MIT doctoral student of Hal Abelson who is the prof concerned, chances of that happening are nil. I presume he is giving the talk as he is also speaking at another event on Friday.
Brian designed much of the security architecture for dotNET which is pretty much state of the art for network application security. He also started the MIT PGP key server. Whatever Microsoft's past reputation might be, Brian is not responsible. Don't confuse the security abilities of the folk who write IIS or Outlook with the abilities of security specialists. As a group there are very very few organizations where anyone listens to us. Netscape had a really bad problem with security until they hired Taher and the brothers Weinstein and they only got listened to there because Netscape got burned baddly in several fiascoes in succession - like SSL 1.0 being broken before Marc sat down at the end of his presentation, the random number bug which they had been warned on repeatedly, etc. etc.
Don't fool yourself, all computer software companies have security problems that need to be addressed. I don't think the open-source scheme to get security consulting for free is going to be a good long term solution.
The point that slashdot people miss on Palladium is that for years the common rebuttal to a lot of security solutions has been 'you can't do that without trusted hardware'. So the fact that MSFT is pumping money into developing a trusted platform is a significant step forward.
OK folk may not like trusted hardware being available to the RIAA, but they are not the only people who can benefit. It is kinda like the same situation we had with key recovery and Clipper. Freeh was right, there are commercial uses for key escrow, it is kinda a problem if you have an encrypted disk and there is no copy of the key anywhere. Problem was that Freeh's illegitimate demands killed the legitimate market. Don't let the RIAA do that with Palladium.
For example storing your credit card # on a PC makes no sense, people still do it. They can do it a heck of a lot more safely if there is a trusted platform which will only allow trusted wallet applications access to that key.
Another example, for years we have wanted to have PCs that simply refuse to boot except to repair mode if the O/S has been tampered with. That way a trojan or virus can't lurk for years. Tripwire tries to do something like this but it really is a substitute for secure H/W
The Palladium folk know that any hardware scheme is vulnerable to hardware attacks. That does not make such schemes unworkable however. Despite the fact that smartcards are vulnerable to electron microscope attacks they do raise the bar significantly.
Re:Target Consumers? (Score:2, Insightful)
The eventual aim of Palladium to to make software and content rent-only, thus removing the first-sale doctrine.
What not to say (Score:5, Insightful)
There was a MS representative at the career fair here at UVA and as soon as I mentioned the word linux, the conversation pretty much ended.
Re:Microsoft is listening --- AS IF (Score:3, Insightful)
uh...yes?
http://slashdot.org/article.pl?sid=02/10/15/004
Devil's Advocate (Score:5, Insightful)
Their answer will be:
"Providing adequate protection for digital content helps ensure that the quality of that content is protected, and maintaining the rights of the content producer will help maintain the quality of their work, which helps us all."
Again, I don't agree with this nor do I think it is a compelling reason, but if I were a Microsoft Market-bot-3000, that would be my standard output.
Re:Ramifications for Independent Content (Score:5, Insightful)
Microsoft has said many times that Palladium does not do this. Of course, anyone could write software which would only play content that had a signature, and that software could otherwise use some Palladium features. But this is not Palladium functionality per se.
What Palladium does is kind of the reverse: it lets the remote server check that you are running "kosher" software. A remote server could refuse to stream content to anything other than Windows Media Player, for example. Palladium would allow WMP to cryptographically prove to the remote server that it was running, and nobody could write a "fake" WMP that could fool the remote system.
Then WMP can impose whatever DRM policies it wants, and the remote server can be confident that the data it sent to you will be managed under those DRM policies.
And of course you can always decide not to download the data, if you don't care to accept the terms under which it is offered.
In this system it seems likely that it is in Microsoft's interest to keep WMP "open" and allow it to play content from as many people as possible. That makes the software more widely useful and ultimately will sell more copies of Windows.
However, it's also possible that Sony or some other content company could create their own media player software, and it might only play Sony content. Again, this would not be a Palladium feature. The only place Palladium would come in is that the Sony servers could make sure that they only downloaded their content to Sony media players.
Oh, also Palladium would allow Sony or the WMP to store their files encrypted on your disk in a really secure way, so that short of hardware hacking you probably won't be able to break the encryption.
No, don't do that under any circumstances! (Score:5, Insightful)
In fact, stay away from the obvious questions in general. Answers will have been prepared and you will waste your time.
If you want to make them squirm, you need to come up with some direct and highly pointed questions that will be very difficult to avoid answering directly without making it very obvious they are so avoiding it. (You can't prevent avoidance, but you can try to make it obvious that that is what they are doing.)
If I could ask a question, I'd try something like the following:
It's pointed, and it will be very difficult to avoid giving an answer, or making it obvious there isn't one. Either there is a recovery procedure, or the customer is SOL... it's pretty binary. If there is a recovery procedure, hackers might exploit it. (Or do we have to dial home to Master Microsoft first?) If there is no recovery procedure, then how can they honestly claim this is a benefit to the customer?
Me, I'd lay money on a handwaving answer... but it should be obvious, if you do it right.
Let's Get historical (Score:1, Insightful)
Re:Multiple Computers/Os's (Score:3, Insightful)
Friend, I think your definition of "standard" has come unstowed.
There are basically two definitions of "standard" that apply here. On the one hand, we've got "standard" in the sense of an ISO standard: a documented specification that has been published by a recognized standards body. Ogg Vorbis doesn't meet that criterion. MP3 does, because it's part of an ISO standard specification.
On the other hand, you've got the idea of a "de facto" standard, which is a format or tool that's so widely used that you can depend on its availability with reasonable confidence. The Microsoft Word file format is a standard in this sense. It's not true to say that everybody uses Word, but in certain circumstances-- such as sending a resume to the HR department of a big corporation-- you can assume that Word will be the preferred format.
Neither de facto nor de jure standards have the moral or practical high ground. The world is composed of both, so it's important to be able to recognize either type of standard and act accordingly. In some cases, the de facto standard conflicts with the de jure standard. We're dealing with that now with respect to HTML; the de facto standard (IE for Windows) and the de jure standard (the W3C specification) conflict. That causes problems, but eventually they'll bubble out.
Ogg Vorbis, despite whatever merits it might otherwise have, can't reasonably be called a standard in either sense. In pointing this out, I'm not trying to say anything good or bad about Ogg Vorbis, or about standards for that matter. I'm just trying to keep the conversation straight, that's all.
Re:No, don't do that under any circumstances! (Score:5, Insightful)
Why palladium does not work (Score:3, Insightful)
I don't know why people are so excited about Palladium. It can not function as they claim it. This is a fact, because nobody can ignore the reasons, at least not in this universe. I'm always under the impression that there are people who sell some highly speculative and esoteric garbage. They claim something that cannot work. And still there is applause for these people, for whatever reason. And if enough applause is around, everybody claps his hands, too, without knowing why. Anyway, Palladium will never do what it is claimed to do, it cannot function reliably and every child with a little skill in mathematics can find a proof for this fact. I will give this proof now.
Introduction
A computer is a formal system which you can analyze in various ways. Mathematics gives us nice measures to do it. These measures allow us to give predicates about ideas like Palladium without even knowing anything about their inner details.
If we assume a correctly functioning computer, this predicate is wrong. A computer is a system which can from its boot strap state reach only a finite number of states, while a Turing machine can reach an infinite number of states.
An ideal computer, which would have an infinite amount of memory, can emulate a Turing machine and is thus equivalent to a Turing machine.
This predicate is wrong. The finiteness of states a computer can reach is not disabled by the much larger finiteness of a network. Because the network, as opposed to the computer, grows over time, it can be seen as an unlimited amount of memory. You would just have to wait until someone, somewhere on the planet adds more memory to the network. However, this memory is over-directed and so the system is no longer deterministic. Therefore a computer with network connection is a non-deterministic system. Non-deterministic systems are not Turing machines. Any computer is deterministic if and only if the computer controls the network connection. This control is finite, because the computer has only a finite amount of states available. So a computer can still only reach a limited number of arbitrary states. That's why a computer is still no Turing machine.
This predicate is right. Since a Turing machine can emulate every deterministic computer, all limitations that are put on a Turing machine are also valid for the emulated computer.
A Turing machine is deterministic and is thus countable. Therefore it is imperfect as a formal system in the Goedel sense. Hint: In imperfect systems it is possible to pose a problem that cannot be solved within the system (e.g. the formula x*x = -1 in the real number system).
Based on these introductory insights a conclusion can be drawn now.
Evidence
This demand is legitimate. A security risk is, by definition, something that you cannot completely abandon. A computer connected to a network is non-determenistic and as such a security risk. A deterministic computer that does no longer react in a predictable way as soon as you connect it to a network is undoubtedly a security risk, because you can no longer tell what the computer does and why. Everyone should seek to avoid security risks with computers. Especially a platform that claims to make a computer more secure must be bound to this insight, otherwise it would increase the security risks instead of decreasing it.
This predicate is wrong. We assume that a computer does not work in a determenistic way with Palladium and it thus constitutes no Turing machine. On the other hand Palladium supervises the data processing inside the computer and cuts off certain states. Therefore the computer loses a lot of its possibly reachable states, that is the number of possible states becomes "even more finite" than it was before. If the computer remains deterministic, then the total number of states is lower than that of a computer without Palladium. For this reason a computer with Palladium is no Turing machine, either. (This is too bad. Would a computer with Palladium constitute a Turing machine that would be a direct proof that Palladium does nothing, because all Turing machines are principally equivalent).
This predicate is wrong. Either Palladium makes a computer insecure (see above: security risks) and will therefore not fullfill this claim, or Palladium is as a formal system imperfect by principle. Imperfectness in this case means that you can impose a request upon Palladium that it cannot fullfill, by principle. Since Palladium wants to give improved security, it either can not accomplish this claim or it has to limit the usage of the computer so that there is no way to use the machine for the broad number of tasks like before. The Goedelization in this case assures us that the limitations are by no means imposed on unwanted operations, which Palladium wants to prevent, but on wanted operations which Palladium permits (or even disres) for the user. It is irrelevant if I can now give a significant example for this or not. The fact is, simply put, that thanks to Goedel can construct such an example. That's why Palladium can again not fullfill its claim. The user is prevented from doing things that he is permitted to do due to Palladium, even though these operations are desirable.
The final conclusion will be drawn now
Conclusion
I assume that at Microsoft there are bright minded people who know enough about mathematics to not only be able to follow my implementations, but rather knew them long ago. I assume this because there's not much behind it. And therefore I assume that Microsoft knows that Palladium can not function in the way they claim.
Now that raises the question why Microsoft still propagates Palladium in the way they do? They should know that their claims are wrong. I see only two possible reasons for this riddle:
Either Microsoft wants to mock up activity in the security sector, which in reality doesn't exist and in such way gain market shares by marketing fluff.
Or Microsoft exactly knows that the computer will become completely uncontrollable with Palladium, because every networked computer with Palladium will work in a non-deterministic way. The non-determinism in this case helps specificially the one who controls Palladium, and this means Microsoft and Intel. But it will be exploited by hackers as well.
Since I make the assumption that the uprising damage from the second case would make an unrecoverable loss for the companies, I firmly believe that Palladium is marketing fluff. Professionals will turn off Palladium to have a (more) secure computer again. For consumer computers this might be a different case, but certainly no sysadmin is going to blindly accept an increased and easily avoided security risk.
Palladium most probably is nothing but marketing fluff without any backgroud - except moneymaking.
We shall not fear Palladium. If it was impossible to turn off Palladium, every computer's value would be zero if it was not connected to the net. And if it was connected to the net, it'd be completely indeterminate what the machines does. At least that's the consequence of Goedel's proposition of incompleteness.
Tino
Original text (german) can be found on: http://20k.de/postnuke/modules.php?op=modload&nam
Final word from the translator, ie. me: English is not my mother tongue.
Security Question (Score:2, Insightful)
I can really only think of one question: (Score:3, Insightful)
KFG
Slashdot readers froth at the mouth (Score:4, Insightful)
I think this should be treated the same as any invitation to submit questions to an interviewee.
MS, in this case.
It's disappointing to see the flamage herein. Yep, Slashdot may be homogenizing, as some have asserted - becoming bland, grey, doubleplusungood sameness in all directions. Personified by Prolific Puking Proselytizing Punks!?!
Yet ---- on the flip side, there are too many superficial questions asked, which by their phrasing or their supposed "subtlety" or "indirection" will somehow be "sprung" upon the erstwhile MS drones standing under the bright lights.
Sigh.
This is a very rare opportunity, if indeed someone will represent "our" interests at this forum (and assuming the chance to speak).
We should be asking all the questions that have come up before, but that have not yet been answered: in Salon [salon.com] by Bruce Perens ('Perens is convinced that Palladium will let Microsoft decide which applications can run on a machine and which are simply too unsafe for public consumption -- such as programs written by open-source hackers. Perens even thinks that's the point of Palladium: "It's designed to kill off open-source development."') and in Dan Gillmor [siliconvalley.com] ("Microsoft has launched its Palladium initiative, a hardware-software system designed to make computing more secure from viruses and malevolent hackers. Palladium, unfortunately, could also be used by intellectual-property owners to lock down copyrighted materials in ways that would damage users' rights. Critics have also suggested that Palladium could be used to freeze out open source software -- and they make a compelling case.")
A few example questions:
What is Microsoft's response to Cringely's allegation that data will no longer be "permanently readable" - a characteristic of computing that is taken for granted today?
What is Microsoft's position today on this issue?
Is this DRM part of (or related to) Palladium? In any event, what recourse will users have when (if) their existing software ceases to function as a result of these new "features"?
Search Google, read all the material, find the unanswered questions - and it won't matter that Microsoft sees this slashdot thread. Ask the questions that MS knows about, but has not been able or willing to answer...
Re:What's in it for consumers? (Score:5, Insightful)
The answer is obvious. Once Palladium is in widespread use, (legitimate) content will only be made available to systems that use Palladium to enforce DRM. So a consumer will want to buy a Palladium box because that is the only way that he can download the latest PPV movies, super-CD-quality audio, and other 21st century content that we haven't even thought of yet.
Microsoft benefits by providing a technology which will make the content companies feel comfortable in releasing their data in digital form. This will make PCs more valuable and sell more of them, which means more copies sold of Windows and more money in Microsoft's pocket.
Answer to your question: some can... (Score:5, Insightful)
Picture an open source media player. As it stands, xmms could be run on a palladium system and the oss model would work fine. It would play oggs ripped from your own personal cd collection and any company that takes the source, modifies it, and distributes a binary would have to release the source back to the community. No problem.
Now let's say a company takes the xmms source, adds support for drm-infested media, and releases a binary that's been digitally signed by MS, meaning that MS has examined the source and seen that it will not ever expose unencrypted, drm'd data to user access. It still plays oggs (they haven't removed that feature yet), but here's what happens when you try to connect to Disney's server to upload your credit card data and download Mickey Mouse 2010 (subtitile: Yes, we still have the copyright):
1. Disney queries your machine for it's unique ID (yes, all PCs must have them for the system to work).
2. Upon verification that the unique ID is a valid one from the central unique ID database, it asks your system for a signed, timestamped, digitally signed (by the TPM [trusted platform module) message saying that your system is running a drm-compliant OS.
3. If it gets an affirmative answer back, it queries the OS as to whether the app is digitally signed by MS. I'm not familiar with the system that will be used in this case, but I think identd would be an accurate model (i.e. "Is the app connecting from port xxxx on your machine to port yyyy on my machine digitally signed?").
4. If it gets an affirmative answer back, the server will then send content encrypted with the platform's public key (not the "unique ID" key, that one is a single purpose sign-only).
5. xmms, upon receipt of the data, plays it back according to the drm rules.
Now, imagine you want to modify the new xmms sources (that include drm support) to play a new audio format or to add a media manager function (or whatever). You still have free access to the sources, but once you modify and compile them, you get an unsigned binary out of your compiler. It still plays oggs, but when you try to buy a movie from Disney, the OS responds (in step 4 above) with a negative answer.
"No, the binary making that connection is NOT signed."
The result is that Disney will not send data to that app. I'll get the obvious question answered right now:
Q: What if you modify your OS to respond to all step 3-4 "is xyz app signed?" questions with a "yes" answer? Couldn't you break the system that way?
A: No. The authentication process would fail on step #2 above because your recompiled kernel wouldn't be signed so the TPM on your motherboard would refuse to vouch for it.
What does this mean for OSS? Well, not much. Open-source, non-pd/tcpa software won't be affected at all. OSS that does "handle" secure content as one of its main functions would be affected - you wouldn't be able to fork it unless you wanted to pay MS for a digital signature on every release to you want the pd/tcpa portions to keep working. In a nutshell, only the portions of OSS that normally depend on pd/tcpa would be nonfunctional.
So why is palladium/tcpa still a big problem? Well, a couple of reasons, but first, more Q&A.
Q: What if I were to physically crack open my trusted platform module and extract its private encryption and sign-only authentication keys.
A: You would have broken palladium/tcpa security.
Q: What if I were to replace my core root of trust for measurement (CRTM, aka my BIOS) with one that always reports the system is booting in a "secure state" to the TPM?
A: You would have broken palladium/tcpa security.
Q: What if I find a buffer overflow or other bug in a signed application (e.g. windows media player) that allows me to execute arbitrary code as that process?
A: You would have broken palladium/tcpa security.
Q: What if I find a buffer overflow or other bug in the OS or a signed driver that allows me to execute arbitrary code as the OS kernel?
A: You would have broken palladium/tcpa security.
I don't mean to make it sound easy - tcpa is designed to place these activities beyond the means of the average script kiddie. However, they are all very real valid security problems that palladium/tcpa _will never be able to solve_, specifically because of the nature of cryptography, mass-produced hardware, and information itself. I guess you could say that information really does "want to be free".
(Note to grammar nazis: Yes. I'm aware I put the period outside the quotation marks. I did this because I believe it enhances the readability of printed english. Putting the terminating semicolon from a line of C code inside the quotes around a quoted string just doesn't make logical sense. However, any its/it's, there/their/they're, or other stupid mistakes that detract from my ability to communicate clearly are fair game.
So why is it such a bad idea? Because people think it will work. The latest issue of PC World (November [?] 2002) features an ad from IBM touting the advantages of the latest Intel Pentium 4 processor's LaGrand Technology. If I could find it I'd post the page number, but if you look through the issue it's on the left side somewhere in the middle-ish section. It promises freedom from viruses and a more secure operating system. I think it promises completely secure e-commerce as well. The average PC World readers are going to read this and their eyes are going to pop out of their heads. "Really? No more viruses? No more trojans? Secure e-commerce? How wonderful!" When online companies start pushing "secure" online movie rentals (broadband only, some restrictions may apply, void where prohibited, etc...) the ones surviving heart failure will scramble to buy new pcs with this LaGrand Technology (or amd's equivalent). After all, who wouldn't want a virus-free secure PC that does new and exciting things?
Nevermind that the reason 99.999% of the computer-using public have to even think about viruses is because outlook is so incredibly insecure. Nevermind that the only things stopping global availability of secure online shopping are the certificate authorities' greed and US crypto export laws*. Nevermind that online movie rentals will most definitely not take off soon considering how much bandwidth is available to home users even with broadband. (Yes, you may have 2mbit cable, but what's going to happen when a large enough percentage of friday night movie watchers decide to download and cable companies are overselling their last mile _and_ backbone bandwidth at a ratio of 50 to 1?) Nevermind that LaGrande Technology is designed to be the cpu-side hardware support for tcpa/palladium which is already flawed. I'm not saying that IBM won't be able to make good on their promises of perfect security and a virus-free environment (that's a separate debate) - I'm saying that they're pushing a unique PC ID and Digital Restrictions Mechanisms into every home in trying to do it.
(* Yes, I'm aware that you can get strong ssl encryption in linux outside the US. Here I'm referring to windows, a product from a commercial entity that has at least a slight interest in pretending they obey US law.)
So that's how it's going to get into homes and businesses. What harm is it going to do once it gets there? Well, just because it's going to be hopelessly inadequate when it comes to serving its intended purpose of stopping online piracy of digital media doesn't mean that it won't restrict fair use rights. Sure, anyone can use a cracked pd/tcpa box to download a film from disney and then distribute it online, but if Joe user can't rip his legally purchased CD and send it to his car stereo because of draconian DRM code, that's a problem. And that's only the copyright/fair use side of the issue. What about security? What happens when a certain OS vendor, with complete confidence in its supremely planned but critically flawed transition element, starts getting lax on security and starts depending on pd/tcpa keep everything together? Even worse security holes than we've seen before due to inattention to important detail and (at least) internal code review.
I hope you see what I'm talking about now. The worst possible outcome is not that palladium/tcpa will progress as planned (which violates the "possible" part). It's that it will approach an uneducated public and fail miserably.
Are you a paying member of the eff yet?
Re:major palladium concerns (Score:2, Insightful)
Great, the executables have a signature so they cannot be run when modified, but this will not stop the type of the buffer overruns people exploit today. Furthermore the ammount of code in jepardy will grow by several orders of magnitude, and was not engineered with the same hostile exposure in mind.
Be honest. Palladium is not about protecting users from their software, but instead about protecting computer data in vaults from their users. right?
Aren't the content industries naive for thinking Microsoft will not crush them once Microsofts DRM becomes established?
Re:No, don't do that under any circumstances! (Score:2, Insightful)
It's especially good if you ask a question where they know the answer, the whole audience knows (or thinks they know) the answer, and it's not pretty. And ask it very innocently, so they can't brush you off as a trouble-maker
Your question is pretty good but it's even better to ask a single question. With multiple questions they can act confused, or choose just the easiest one.
Simon
Re:No, don't do that under any circumstances! (Score:3, Insightful)
The process you describe would require that every PC owner (we're talking hundreds of millions and soon billions) diligently backs up their key and keeps it safe. How can you expect this when most people can't find their car keys? How can you expect my Mom to understand that when she can barely understand how the damned computer works at all?
Humans (and especially us Americans) most often take the path of least resistance. This Palladium crap is definitly not that.
Re:Second post! (Score:3, Insightful)
Typically you'd rather lose data on an encrypted disk than risk it being compromised. Key recovery and key escrow go directly against this. Replacing mathimatically proven security for a human trust form of security = Bad idea.
As for storing a CC number on your computer and only allowing trusted wallet applications to access it. Sure, its rather stupid to store stuff like that on your computer. However you are far more likely to get it stolen from the other end. The server is known to have them and has a lot more than some random computer. I'm also not convinced that this system makes your data any more secure than an entirely software solution using encryption.
Finally, if you want to prevent a computer from booting if tampered with. It is pretty easy to boot from a write protected floppy. Put whatever verification you want on that.
Perhaps there might be some good uses for this technology, but I'd rather try to make esisting technology work than be forced to give up the control that MS/RIAA/MPAA want.
Re:An obvious question from the /. crowd (Score:2, Insightful)
Slower production time. Awaits certification by a third-party. Cannot possibly run as trusted on every system. People can't modify and compile their trusted code themselves (Say goodbye to testing). XMMS isn't allowed to ship with output modules? wtf... What part of your post was supposed to be friendly to Free Software??!
Oh yeah, and since the middleman has a financial incentive to approve client binaries, how is he going to be able to spot all the security holes that dedicated, unbiased security professionals have not yet found? The first time a program gets slipped past the middle man, it becomes unencrypted data, which will then be distributed ala Gnutella / Freenet. Is IE going to be trusted? Media Player? IIS? Word? Can you spot the bug-free software in that list? Me neither. Does it just mean that people are going to suddenly write flawless code, especially when they can't compile and test it themselves?
Oh yeah, and the part you completely forgot to mention: why in God's name I'm supposed to plunk down hard currency for a computer that breaks so many things that used to work.
BS. It's all BS. TCPA, all of it. No one's going to buy crippled machines. Christ MS can't even sell new copies of Office, because the old ones work just fine, even if the new version is a little better. Why would anyone want to ditch their old computer when the alternative is something that's not only broken, but hostile?
And don't even say, "So they can run trusted code", because I'll be running that code Free as a bird the week after it gets cracked.
--
Please forgive my hostility. I just hate the idea of groups sitting behind closed doors and conspiring to enslave my future machines to their avarice. And you're the only one I can reach.
Re:No, don't do that under any circumstances! (Score:4, Insightful)
The real point to hammer home is "How is this helpful to the consumer to make them jump through all these hoops to do something that used to be as easy as burning backups to a CD-R?"
(BTW, to the story poster, if you REALLY want to nail the question down, you need this back-and-forth between people to really refine it. SiliconEntity's post is exactly what you need.)
Data corruption? (Score:4, Insightful)
If I understand correctly, Palladium checks the integrity of a program "down to a single bit" and will not allow the program to run if a single bit is different from what it expects.
What happens if a sector on the hard drive becomes corrupted? Whereas most programs will presently continue to run with a small amount of corruption (at least well enough to retrieve data), under Palladium would it not fail to load entirely? In other words, the most minor data corruptions become catastrophic failures.
Would it be necessary to reinstall the software entirely in order to run it under Palladium?
Microsoft on Slashdot? (Score:2, Insightful)
Re:No, don't do that under any circumstances! (Score:3, Insightful)
Re:THe obvious one ... (Score:3, Insightful)
This question WILL BACKFIRE on you unless you are extremely detailed and careful. They've built up an arsenal of smoke and mirrors to disuise their monopoly tactics as being free, open, even friendly and generous.
Linux will run perfectly fine on Palladium machines. A computer with Palladium is like a computer with a webcam attached. If none of the programs are written to use the webcam, it doesn't matter that it's sitting there unused. It is still a fully functional computer. All other programs still work.
Microsoft has specificly stated they WILL release the information Linux needs to use Palladium. This is their big "open source" hype. Everyone can use palladium. The catch is that Palladium programs will only run on an operating system they trust. This means the operating system needs to be signed by Microsoft. Well, actually Microsoft will probably set up an "independant body" to do the signing. There will be an "open process" were anyone can get their OS signed. Except the process will be very long, very difficult, and most importantly very expensive. You have to prove the OS's use of Palladium is completely secure and meets all the rules they set.
In otherwords it will be virtually impossible for Linux to get approval. Lets assume some big company like IBM actually does finance an approval for Linux. It's next to worthless because the signature will only work for that EXACT binary distribution. Switching to a different distribution, or moving up to the next release, or even just applying a patch will void the signature. And THAT excludes the possibility of using any commercial Palladium program or Palladium content on Linux in general.
-
2nd half of the answer... (Score:5, Insightful)
* Only DRM/"Trusted" systems will be able to play content from the Music industry or Hollywood.
* For an operating system to be trusted it needs to be vetted and signed for use with DRM. i.e. it needs to be a "known quantity".
* An OS where the user can modify it at will is not a "known quantity" or signed, and even if it was, as soon as you recompile it you would break the signature. Basically, an OS where you are allowed to modify it, can not be trusted. (Allowing modifications being a large part of the "Freedom" involved in Free Software. You can't have it both ways).
The result being a world where only non-Free operating systems can play the entertainment industry's content, by design.
If you thought playing Windows Media files on Linux was tough now, wait until Palladium.
--
Simon
Does your computer trust you? (Score:3, Insightful)
What Palladium does is to enable the computer to NOT trust its owner.
Any other problem allegedly solved by Palladium can be solved without it.
Really!!
Can you show me... (Score:1, Insightful)
Or do I have to rely on a Micro$oft PR monkey, who ensures me, that it is?
The Edge (Score:2, Insightful)
The point is that the framework must not be adopted. To have one company control all aspects of data manipulation is insane. And what's more, this is the company that changes their EULA in an upgrade! So even if the answer to your question now is "why sure, you can create, distribute, run, and in general do anything you want with open source or any other program!" what makes you think that they can't just change this sentiment for "security reasons" or because they decide to call open-source "flawed" or "threatening" or whatever... the point is that, by adopting the system, you give them that control.
I don't usually like to quote Star Wars, but in this case it's more than appropriate:
"Once you start down the Dark Path, forever will it dominate your destiny." --Yoda
The point isn't what will happen once we're already on the path... the point is we must never even start in that direction. Don't give up self-government of data for promises of greater security any more than you would give up your Bill of Rights for better CIA surveillance.
Oh wait... I forgot we've already done just that.
What about Script and Macro Viruses? (Score:3, Insightful)
Is Palladium supposed to offer any protection against these? (If not, then skip the rest of the arguments...)
How would Palladium help? Presumably MicroSoft applications would be "trusted", yet these applications are the executables that are doing the damage (while executing the macros or scripts).
Are scripts and macros going to be considered distinct executables, that must be independently certified and signed? What about very common scripts like javascript for HTML Image rollovers, layers, form validations, etc.?
If not every script has to be signed, then how does Palladium make a practical distinction between what does need to be signed and what doesn't?
If every scrip has to be signed, then how would a new Palladium enabled system keep compatibility with the existing web, existing microsoft documents, and microsoft's application design philosophy?
microsoft violates patent (Score:3, Insightful)
Peter Biddle of Microsoft gave a palladium talk at the usenix security symposium in August. At this talk he said that he was unaware of any way that Palladium could be used to combat software piracy.
Lucky Green immediately wrote down several ways in which palladium could be used to do this, and filed patents on these methods.
[mail-archive.com]
[mail-archive.com]
Explain the above, then ask if Palladium have any method of preventing software piracy. Follow up by asking if they are utilizing the methods described in Lucky Green's patents.
Re:An obvious question from the /. crowd (Score:2, Insightful)
It seems less so every time you post.
The only binary that needs to be trusted is the client/player.
And the operating system. And the sound/video drivers.
Not that only having to have the OS/player be trusted makes a difference -- It's not the amount of software, it's whether it can easily be free.
The middleman has vast incentive to approve as much software possible, because that directly translates into mroe revenue.
I'm not sure I see your reasoning. If WinAmp was the only windows mp3 player, how many people wouldn't be listening to mp3's? The more software = more revenue is a tenuous link when what you're selling is -content-. And code reviews are time consuming, and hence expensive. It seems that the middleman would want to minimize the amount of software that they approve for cost reasons.
Anyone can see the binary and the source.
Being able to look at the source code doesn't make it free software.
And since that portion of the system is off limits, once the hash is taken that code is permanent - it can't be modified by any portion of the system.
Exactly. You can't modify it; it isn't free.
After this code is assembled and tested, it is given to the middelman, who verifies it doesn't provide any loops. After that it is compiled against various systems and hashes are taken. This could be pretty serious job since most libraries would have to be compiled in statically - especially input/output libraries (it'd break the system if glic was linked outside the trusted portion of the system, the app would emphatically refuse to run).
And like I said before... Middlemen are going to do this for free, for XMMS, FreeAmp, XV, MPlayer, GTV, Chris Burke's Media Player... Yeah right.
Improvements would have to be re-validated by the middleman of course.
FSF philosophy is not that you should be able to modify a program to suit your needs -- so long as the changes are approved by a moneyed middleman.
This will slow down the development cycle (daily releases aren't viable in this case).
"Release early, release often" isn't exactly GNU philosophy, it has served free software well.
And I made the same observation last post -- do I really want the next kernel release held up by a middleman who could easily be in the pocket of those who are hostile to free software? Not that "you can modify the source, so long as the results are approved by a third party" is compatible with the philosophy of free software.
The binaries could be modified, as well as the source by anyone, but the program would not match the hash expected by the middleman, and encrypted content would not be decrypted and therefore played. However, that same binary would work fine with non-encrypted content.
Right. Like I said: No more compiling your own kernel. No more in-house driver development. No more actually being able to modify and recompile a program and then use it for the same things you used it for before. If you try, you lose your ability to play your paid-for content.
Sounds pretty hostile to me.
The Question Everyone Forgot To Ask (Score:3, Insightful)
How does it make my computing experience any easier or better.
I'm not asking how it benefits corporate america who simply wants locks on my home installed and I have to ask to be let out/in.
What will palladium do for me?