Questions for a Lecture on Microsoft's Palladium? 612
An anonymous reader asks: "Microsoft is going to be giving a lecture on Palladium
for my Computer and Network Security class at MIT this Thursday. We're told that it's going to be the most technically detailed lecture publically given to date, and that we should be armed with questions as a result. Any suggestions from the Slashdot crowd? What technical details have you been dying to know about Palladium?" It would be interesting to hear back from someone who is planning on attending this. For those who wish they were, but can't for one reason or another, what would you have asked by proxy?
Your second question... (Score:5, Funny)
Why won't you answer my first question?
Third question from slashdot (Score:5, Funny)
A good attack question! (Score:5, Interesting)
This question should probably be saved until some of the groundwork for it has been already been covered. Here's the basis for it...
Palladium programs and any Palladium data can only be used on a trusted nub ("nub" basicly means kernal). Any changes to the nub are going to have to be submitted for approval as a new trusted nub. How long will this approval process take?
I think they plan an "independant" body to certify/sign a nub as trusted. If so point out this will massively delay the release of their security fixes.
If Microsoft plans to do their own certification that their nub is trustworthy then point out that they are leveraging their 90+% marketshare to create a monopoly on trusted nubs and all commercial use of Palladium.
-
Why Palladium? (Score:5, Funny)
Why did you choose to build your new processor out of Palladium.
Silicon, with aluminium or copper, is the more traditional choice.
Tell them... (Score:5, Funny)
What's in it for consumers? (Score:5, Insightful)
Re:What's in it for consumers? (Score:3, Insightful)
Re:What's in it for consumers? (Score:5, Interesting)
Or conversely, "Why does Microsoft believe that Palladium will earn a positive cash flow for the company, satisfy return on investment, etc, in the long run?
Essentially, "what's in it for YOU?" This could reveal some interesting information about their long term strategy and core motives.
Re:What's in it for consumers? (Score:5, Interesting)
Easy answer to that one: (Score:3, Interesting)
Content.
IMO it's a similar situation to DVD region coding. Consumers never wanted it, but the big studios wouldn't put stuff on DVD unless it was protected, so the electronics companies had to agree to it, and if we wanted to use DVD we had to as well. Which many did. If M$ can make a must-have Palladium app (probably business- rather than consumer-targetted), then you'd be surprised how many go for it.
Of course, the DVD protection was broken: player makers turned a blind eye to region mods, or even quietly introduced them themselves; and similar hacks became available for many DVD-RAM drives. Nevertheless, region coding still exerts a good deal of control over the DVD markets, and causes many consumers great inconvenience. And the same will happen with Palladium: if it becomes widespread and desirable, then someone is bound to crack it. But that won't stop it from causing untold pain and misery.
Re:What's in it for consumers? (Score:5, Insightful)
The answer is obvious. Once Palladium is in widespread use, (legitimate) content will only be made available to systems that use Palladium to enforce DRM. So a consumer will want to buy a Palladium box because that is the only way that he can download the latest PPV movies, super-CD-quality audio, and other 21st century content that we haven't even thought of yet.
Microsoft benefits by providing a technology which will make the content companies feel comfortable in releasing their data in digital form. This will make PCs more valuable and sell more of them, which means more copies sold of Windows and more money in Microsoft's pocket.
2nd half of the answer... (Score:5, Insightful)
* Only DRM/"Trusted" systems will be able to play content from the Music industry or Hollywood.
* For an operating system to be trusted it needs to be vetted and signed for use with DRM. i.e. it needs to be a "known quantity".
* An OS where the user can modify it at will is not a "known quantity" or signed, and even if it was, as soon as you recompile it you would break the signature. Basically, an OS where you are allowed to modify it, can not be trusted. (Allowing modifications being a large part of the "Freedom" involved in Free Software. You can't have it both ways).
The result being a world where only non-Free operating systems can play the entertainment industry's content, by design.
If you thought playing Windows Media files on Linux was tough now, wait until Palladium.
--
Simon
Intel Serial number (Score:4, Interesting)
Got some Thinkpads a few months ago and guess what? The option is GONE. They win, we lose.
Expect the same tactics again. In the beginning it will be optional but it won't stay that way long.
Re:Intel Serial number (Score:4, Interesting)
LawMeme article with good facts (Score:4, Informative)
Ask them how it'll help you... (Score:5, Insightful)
The biggest question in my mind on Palladium is how it's supposed to help users. Why we're supposed to use it, instead of just keeping on using our old Palladium-free computers.
Devil's Advocate (Score:5, Insightful)
Their answer will be:
"Providing adequate protection for digital content helps ensure that the quality of that content is protected, and maintaining the rights of the content producer will help maintain the quality of their work, which helps us all."
Again, I don't agree with this nor do I think it is a compelling reason, but if I were a Microsoft Market-bot-3000, that would be my standard output.
No, don't do that under any circumstances! (Score:5, Insightful)
In fact, stay away from the obvious questions in general. Answers will have been prepared and you will waste your time.
If you want to make them squirm, you need to come up with some direct and highly pointed questions that will be very difficult to avoid answering directly without making it very obvious they are so avoiding it. (You can't prevent avoidance, but you can try to make it obvious that that is what they are doing.)
If I could ask a question, I'd try something like the following:
It's pointed, and it will be very difficult to avoid giving an answer, or making it obvious there isn't one. Either there is a recovery procedure, or the customer is SOL... it's pretty binary. If there is a recovery procedure, hackers might exploit it. (Or do we have to dial home to Master Microsoft first?) If there is no recovery procedure, then how can they honestly claim this is a benefit to the customer?
Me, I'd lay money on a handwaving answer... but it should be obvious, if you do it right.
Re:No, don't do that under any circumstances! (Score:5, Insightful)
Re:No, don't do that under any circumstances! (Score:3, Offtopic)
How about: I'm a freelance developer, and I use Cygwin to do most of my development. I have invested over ten years in learning these tools, and as a result, I am incredibly efficient with them. For those of you who don't know, Cygwin is an OpenSource extension to Windows that runs common UNIX programs like Emacs & GCC. Will I be able to run Cygwin in a Palladium environment, or will I be forced to run only Microsoft-approved development tools with corresponding EULAs?
Re:No, don't do that under any circumstances! (Score:5, Interesting)
Microsoft hasn't said how this would work, and it is certainly a good question. But I don't agree with your implication that it is somehow an unsolvable problem or indicates that Palladium must be weak.
The related TCPA scheme did have a proposal for how to deal with this. The idea is that your crypto chip has a key in it that encrypts all this data. You can get it to export this key in a "blob" that can only be decrypted by the manufacturer. (Actually the key is exported in two parts, one in the clear and one in the blob, that have to be XOR'd together to recover the real key.)
If your crypto chip dies, you buy a new computer or motherboard with a new chip. You send the backed-up blob and the new chip identifier to the manufacturer, who decrypts the blob data and re-encrypts it for the new chip, and sends it back to you. You then enter this into the new chip, along with the other half of the key, and presto, your new chip is initialized with the same key that was in the old one. So your new computer can read the data that was locked to the old computer.
This is all done in such a way that neither you nor the manufacturer ever sees the crypto key, so the data is still protected.
Now, this is pretty cumbersome, and maybe Microsoft will come out with something better. If this is really going to be a detailed technical presentation, this would be an excellent question to ask. Just don't assume they can't answer it!
Re:No, don't do that under any circumstances! (Score:3, Insightful)
The process you describe would require that every PC owner (we're talking hundreds of millions and soon billions) diligently backs up their key and keeps it safe. How can you expect this when most people can't find their car keys? How can you expect my Mom to understand that when she can barely understand how the damned computer works at all?
Humans (and especially us Americans) most often take the path of least resistance. This Palladium crap is definitly not that.
Re:No, don't do that under any circumstances! (Score:3, Interesting)
Re:No, don't do that under any circumstances! (Score:4, Insightful)
The real point to hammer home is "How is this helpful to the consumer to make them jump through all these hoops to do something that used to be as easy as burning backups to a CD-R?"
(BTW, to the story poster, if you REALLY want to nail the question down, you need this back-and-forth between people to really refine it. SiliconEntity's post is exactly what you need.)
Re:No, don't do that under any circumstances! (Score:3, Insightful)
Why is Palladium Needed? (Score:5, Insightful)
And how does "trust" have anything to do with Palladium. Palladium is a system of control, not of trust.
Question for MIT students/faculty (Score:5, Interesting)
MIT's page [mit.edu] makes no mention of any intention to do this, and seeing how it will apparently be the "most technically detailed lecture publically given to date," I think that the public would benefit greatly from such a service.
An obvious question from the /. crowd (Score:5, Interesting)
Can open source software and Palladium coexist?
Re:An obvious question from the /. crowd (Score:5, Insightful)
Go even more general than this, so you don't even have to bring up competition:
How can user written software run on a 'trusted' system?
Re:An obvious question from the /. crowd (Score:5, Interesting)
Can a system of DRM be devloped that does not rely on security through obscurity at any level, or a crippling of general purpose computers?
Comment removed (Score:5, Interesting)
Re: (Score:3, Interesting)
Re:An obvious question from the /. crowd (Score:5, Informative)
It's obvious, if you're familiar with the Palladium information that has been released. All software, whoever writes it, will be able to make use of Palladium features via a new API.
What are the Palladium features? Your software will be able to create a "virtual vault" that other software can't see into (an encrypted disk file locked to a hash of your software). You can have a "trusted agent" that runs in a secure memory area which is immune to being inspected or changed using debuggers, virtualizers, etc. You can get the OS to securely report a hash of your software to third parties, cryptographically signed by a key which is locked in the Palladium hardware.
The sense in which these features entitle your software to be called "trusted" is beyond the scope of this reply.
I strongly suggest that the OP read the Palladium docs that are available to familiarize himself with the system before he goes to this lecture.
Re:An obvious question from the /. crowd (Score:4, Informative)
If your system is offline or un-networked, you can still use the Palladium "virtual vault" and "curtained memory". This would allow your software to create a crypto key and store some data encrypted with it, such that no other software would be able to read that data. Not even the owner of the computer could get to that data except under the rules that your software enforced. He couldn't virtualize it, he couldn't emulate it, he couldn't use a debugger or patch the software.
The reason he can't virtualize your software or run it on an emulation layer is that the data is encrypted with a key that is locked in the crypto chip. The emulator doesn't have that key and so it can't decrypt the data. The reason he can't use a debugger is because (part of) your software runs in the special memory region which is off limits to debuggers. And the reason he can't patch your software (on the disk, say) is because that changes the software hash, which the crypto chip checks when it goes to decrypt the data, to see if it matches what it was then the data was encrypted. Changing the software changes the hash; changing the hash keeps you from getting at the data.
He could still get at the data if he used some hardware hacks, like dual-ported ram or exotic techniques to extract data from the secure crypto chip. These are probably outside of the expertise of the average hacker, though.
So what does "trusted" mean here? It means that your software can manage data and behave in a predictable manner, enforcing specified rules for manipulating the data.
Re:An obvious question from the /. crowd (Score:4, Interesting)
I think what they're trying to say is that you'll be able to run non-licensed software, however you'll receive a nasty warning similar to the warning in XP if you try to install non-WinXP certified drivers. So I see Palladium being like the Intel processor serial numbers, except you'll NEED to enable it for certain software. And of course it'll be cracked 2 days before release.
Answer to your question: some can... (Score:5, Insightful)
Picture an open source media player. As it stands, xmms could be run on a palladium system and the oss model would work fine. It would play oggs ripped from your own personal cd collection and any company that takes the source, modifies it, and distributes a binary would have to release the source back to the community. No problem.
Now let's say a company takes the xmms source, adds support for drm-infested media, and releases a binary that's been digitally signed by MS, meaning that MS has examined the source and seen that it will not ever expose unencrypted, drm'd data to user access. It still plays oggs (they haven't removed that feature yet), but here's what happens when you try to connect to Disney's server to upload your credit card data and download Mickey Mouse 2010 (subtitile: Yes, we still have the copyright):
1. Disney queries your machine for it's unique ID (yes, all PCs must have them for the system to work).
2. Upon verification that the unique ID is a valid one from the central unique ID database, it asks your system for a signed, timestamped, digitally signed (by the TPM [trusted platform module) message saying that your system is running a drm-compliant OS.
3. If it gets an affirmative answer back, it queries the OS as to whether the app is digitally signed by MS. I'm not familiar with the system that will be used in this case, but I think identd would be an accurate model (i.e. "Is the app connecting from port xxxx on your machine to port yyyy on my machine digitally signed?").
4. If it gets an affirmative answer back, the server will then send content encrypted with the platform's public key (not the "unique ID" key, that one is a single purpose sign-only).
5. xmms, upon receipt of the data, plays it back according to the drm rules.
Now, imagine you want to modify the new xmms sources (that include drm support) to play a new audio format or to add a media manager function (or whatever). You still have free access to the sources, but once you modify and compile them, you get an unsigned binary out of your compiler. It still plays oggs, but when you try to buy a movie from Disney, the OS responds (in step 4 above) with a negative answer.
"No, the binary making that connection is NOT signed."
The result is that Disney will not send data to that app. I'll get the obvious question answered right now:
Q: What if you modify your OS to respond to all step 3-4 "is xyz app signed?" questions with a "yes" answer? Couldn't you break the system that way?
A: No. The authentication process would fail on step #2 above because your recompiled kernel wouldn't be signed so the TPM on your motherboard would refuse to vouch for it.
What does this mean for OSS? Well, not much. Open-source, non-pd/tcpa software won't be affected at all. OSS that does "handle" secure content as one of its main functions would be affected - you wouldn't be able to fork it unless you wanted to pay MS for a digital signature on every release to you want the pd/tcpa portions to keep working. In a nutshell, only the portions of OSS that normally depend on pd/tcpa would be nonfunctional.
So why is palladium/tcpa still a big problem? Well, a couple of reasons, but first, more Q&A.
Q: What if I were to physically crack open my trusted platform module and extract its private encryption and sign-only authentication keys.
A: You would have broken palladium/tcpa security.
Q: What if I were to replace my core root of trust for measurement (CRTM, aka my BIOS) with one that always reports the system is booting in a "secure state" to the TPM?
A: You would have broken palladium/tcpa security.
Q: What if I find a buffer overflow or other bug in a signed application (e.g. windows media player) that allows me to execute arbitrary code as that process?
A: You would have broken palladium/tcpa security.
Q: What if I find a buffer overflow or other bug in the OS or a signed driver that allows me to execute arbitrary code as the OS kernel?
A: You would have broken palladium/tcpa security.
I don't mean to make it sound easy - tcpa is designed to place these activities beyond the means of the average script kiddie. However, they are all very real valid security problems that palladium/tcpa _will never be able to solve_, specifically because of the nature of cryptography, mass-produced hardware, and information itself. I guess you could say that information really does "want to be free".
(Note to grammar nazis: Yes. I'm aware I put the period outside the quotation marks. I did this because I believe it enhances the readability of printed english. Putting the terminating semicolon from a line of C code inside the quotes around a quoted string just doesn't make logical sense. However, any its/it's, there/their/they're, or other stupid mistakes that detract from my ability to communicate clearly are fair game.
So why is it such a bad idea? Because people think it will work. The latest issue of PC World (November [?] 2002) features an ad from IBM touting the advantages of the latest Intel Pentium 4 processor's LaGrand Technology. If I could find it I'd post the page number, but if you look through the issue it's on the left side somewhere in the middle-ish section. It promises freedom from viruses and a more secure operating system. I think it promises completely secure e-commerce as well. The average PC World readers are going to read this and their eyes are going to pop out of their heads. "Really? No more viruses? No more trojans? Secure e-commerce? How wonderful!" When online companies start pushing "secure" online movie rentals (broadband only, some restrictions may apply, void where prohibited, etc...) the ones surviving heart failure will scramble to buy new pcs with this LaGrand Technology (or amd's equivalent). After all, who wouldn't want a virus-free secure PC that does new and exciting things?
Nevermind that the reason 99.999% of the computer-using public have to even think about viruses is because outlook is so incredibly insecure. Nevermind that the only things stopping global availability of secure online shopping are the certificate authorities' greed and US crypto export laws*. Nevermind that online movie rentals will most definitely not take off soon considering how much bandwidth is available to home users even with broadband. (Yes, you may have 2mbit cable, but what's going to happen when a large enough percentage of friday night movie watchers decide to download and cable companies are overselling their last mile _and_ backbone bandwidth at a ratio of 50 to 1?) Nevermind that LaGrande Technology is designed to be the cpu-side hardware support for tcpa/palladium which is already flawed. I'm not saying that IBM won't be able to make good on their promises of perfect security and a virus-free environment (that's a separate debate) - I'm saying that they're pushing a unique PC ID and Digital Restrictions Mechanisms into every home in trying to do it.
(* Yes, I'm aware that you can get strong ssl encryption in linux outside the US. Here I'm referring to windows, a product from a commercial entity that has at least a slight interest in pretending they obey US law.)
So that's how it's going to get into homes and businesses. What harm is it going to do once it gets there? Well, just because it's going to be hopelessly inadequate when it comes to serving its intended purpose of stopping online piracy of digital media doesn't mean that it won't restrict fair use rights. Sure, anyone can use a cracked pd/tcpa box to download a film from disney and then distribute it online, but if Joe user can't rip his legally purchased CD and send it to his car stereo because of draconian DRM code, that's a problem. And that's only the copyright/fair use side of the issue. What about security? What happens when a certain OS vendor, with complete confidence in its supremely planned but critically flawed transition element, starts getting lax on security and starts depending on pd/tcpa keep everything together? Even worse security holes than we've seen before due to inattention to important detail and (at least) internal code review.
I hope you see what I'm talking about now. The worst possible outcome is not that palladium/tcpa will progress as planned (which violates the "possible" part). It's that it will approach an uneducated public and fail miserably.
Are you a paying member of the eff yet?
THe obvious one ... (Score:3, Interesting)
Re:THe obvious one ... (Score:3, Insightful)
This question WILL BACKFIRE on you unless you are extremely detailed and careful. They've built up an arsenal of smoke and mirrors to disuise their monopoly tactics as being free, open, even friendly and generous.
Linux will run perfectly fine on Palladium machines. A computer with Palladium is like a computer with a webcam attached. If none of the programs are written to use the webcam, it doesn't matter that it's sitting there unused. It is still a fully functional computer. All other programs still work.
Microsoft has specificly stated they WILL release the information Linux needs to use Palladium. This is their big "open source" hype. Everyone can use palladium. The catch is that Palladium programs will only run on an operating system they trust. This means the operating system needs to be signed by Microsoft. Well, actually Microsoft will probably set up an "independant body" to do the signing. There will be an "open process" were anyone can get their OS signed. Except the process will be very long, very difficult, and most importantly very expensive. You have to prove the OS's use of Palladium is completely secure and meets all the rules they set.
In otherwords it will be virtually impossible for Linux to get approval. Lets assume some big company like IBM actually does finance an approval for Linux. It's next to worthless because the signature will only work for that EXACT binary distribution. Switching to a different distribution, or moving up to the next release, or even just applying a patch will void the signature. And THAT excludes the possibility of using any commercial Palladium program or Palladium content on Linux in general.
-
Target Consumers? (Score:5, Interesting)
Ramifications for Independent Content (Score:5, Insightful)
The only way I can see it possible to effectively implement DRM is to require computers to not play any digital content that does not have a valid encrypted signature, as provided by the various media companies, and/or Microsoft and Intel.
My main concern, is that independent producers/composers/moviemakers will be locked out of distributing digital content, because the companies involved in Palladium, and other DRM schemes, can choose to withhold issuing these encrypted signatures to them, therefore rendering their content unplayable on Palladium-enabled systems.
I feel, as a copyright owner, and musician, that this infringes upon my rights to distribute my work signature-free, for anyone to be able to play. I do not want a special tag on my releases telling people this is official. I would just like to see my stuff "out there". Therefore, this infringes upon my right to the "pursuit of happiness", as ordained by the constitution.
Anyone else have thoughts?
Re:Ramifications for Independent Content (Score:5, Insightful)
Microsoft has said many times that Palladium does not do this. Of course, anyone could write software which would only play content that had a signature, and that software could otherwise use some Palladium features. But this is not Palladium functionality per se.
What Palladium does is kind of the reverse: it lets the remote server check that you are running "kosher" software. A remote server could refuse to stream content to anything other than Windows Media Player, for example. Palladium would allow WMP to cryptographically prove to the remote server that it was running, and nobody could write a "fake" WMP that could fool the remote system.
Then WMP can impose whatever DRM policies it wants, and the remote server can be confident that the data it sent to you will be managed under those DRM policies.
And of course you can always decide not to download the data, if you don't care to accept the terms under which it is offered.
In this system it seems likely that it is in Microsoft's interest to keep WMP "open" and allow it to play content from as many people as possible. That makes the software more widely useful and ultimately will sell more copies of Windows.
However, it's also possible that Sony or some other content company could create their own media player software, and it might only play Sony content. Again, this would not be a Palladium feature. The only place Palladium would come in is that the Sony servers could make sure that they only downloaded their content to Sony media players.
Oh, also Palladium would allow Sony or the WMP to store their files encrypted on your disk in a really secure way, so that short of hardware hacking you probably won't be able to break the encryption.
Re:Ramifications for Independent Content (Score:5, Interesting)
If there is a player that plays unencrypted content, then it is possible to copy movies. It only needs to be copied once, perhaps by a hacker with hardware modifications, or by pointing a video camera at the screen, and then can be played everywhere.
If only encryped content can be played, then it does not matter if some hacker makes a copy, it cannot be played on most people's machines. Every single machine would have to be hacked to enable it to play some new player that allowed unencrypted content. The security to IP is enormously greater with such a system, ie hundreds of millions of times more secure, so much greater that the drive to enforce this system will completely squash any morals or promises by a few people at MicroSoft.
But how will parents send grandma their videos of their baby? The answer is they won't, and they will forget the fact that there was once a time when a recording could be removed from one device and put into another. Or more likely they will be able to do it with a live connection through a trusted 1:1 connection from their camera to grandma's desktop.
Nobody will be able to record music, make movies, and possibly even publish text without a license from a media conglomerate.
I believe this is going to happen if these schemes are not stopped now.
Multiple Computers/Os's (Score:5, Interesting)
Re: (Score:3, Interesting)
Re:Multiple Computers/Os's (Score:3, Insightful)
Friend, I think your definition of "standard" has come unstowed.
There are basically two definitions of "standard" that apply here. On the one hand, we've got "standard" in the sense of an ISO standard: a documented specification that has been published by a recognized standards body. Ogg Vorbis doesn't meet that criterion. MP3 does, because it's part of an ISO standard specification.
On the other hand, you've got the idea of a "de facto" standard, which is a format or tool that's so widely used that you can depend on its availability with reasonable confidence. The Microsoft Word file format is a standard in this sense. It's not true to say that everybody uses Word, but in certain circumstances-- such as sending a resume to the HR department of a big corporation-- you can assume that Word will be the preferred format.
Neither de facto nor de jure standards have the moral or practical high ground. The world is composed of both, so it's important to be able to recognize either type of standard and act accordingly. In some cases, the de facto standard conflicts with the de jure standard. We're dealing with that now with respect to HTML; the de facto standard (IE for Windows) and the de jure standard (the W3C specification) conflict. That causes problems, but eventually they'll bubble out.
Ogg Vorbis, despite whatever merits it might otherwise have, can't reasonably be called a standard in either sense. In pointing this out, I'm not trying to say anything good or bad about Ogg Vorbis, or about standards for that matter. I'm just trying to keep the conversation straight, that's all.
Optional (Score:5, Insightful)
Could you ask them what "optional" means for me?
Please note the presence of any lawyers.
-Peter
What "optional" means to you... (Score:3, Informative)
Exercising this option is functionally equivalent to exercising the option to not have access to any digital content whatsoever.
So it's "optional" as in "breathing", not "optional" as in "comes with a sunroof".
-- Terry
My own personal video (Score:5, Interesting)
I am thinking if I make a video of my grand kids - how can I make sure that anyone I want can view it?
Hey Bill... (Score:3, Funny)
My question is... (Score:5, Insightful)
Reasons (Score:5, Interesting)
Palladium & OO Security (Score:5, Interesting)
And would the same apply to non-.Net Win32/64 code? How about scripting languages? Other VMs?
Tech/legal mix (Score:4, Interesting)
Corporate liability (Score:5, Interesting)
major palladium concerns (Score:4, Interesting)
Will code I write be able to be run on different Windows machines, or will I be restricted to my local environment barring a signature from Microsoft? From what I have read so far it is the latter and that is frankly terrifying.
Re:major palladium concerns (Score:5, Informative)
DIDW [didw.com]
And the relavant quote (with important part bolded):
DIDW: So flexibility is a big goal, with nothing traceable locked in and no specific required PKI structure it must be part of?
Juarez: The architecture is designed to be an open platform and open environment. As an ISV or service provider you can build anything you want on top of this platform and offer up a value proposition with consumers, or with other businesses. It can do all kinds of interesting things. But there's nothing in the system that says, for example, that if you run something in one of these vaults that you've got to have the code signed, or you have to have things authenticated. It's a very basic, open environment and we're not trying to build any elements of it that are going to require verification or the participation of anything other than the ISV and the person who is using the services want to have happen.
About the dates... (Score:5, Funny)
Secure Palladium? (Score:5, Insightful)
Hmmm.. On that note, maybe Palladium is a preview to Microsoft Silver?
Data corruption? (Score:4, Insightful)
If I understand correctly, Palladium checks the integrity of a program "down to a single bit" and will not allow the program to run if a single bit is different from what it expects.
What happens if a sector on the hard drive becomes corrupted? Whereas most programs will presently continue to run with a small amount of corruption (at least well enough to retrieve data), under Palladium would it not fail to load entirely? In other words, the most minor data corruptions become catastrophic failures.
Would it be necessary to reinstall the software entirely in order to run it under Palladium?
Will there be backdoors? (Score:5, Interesting)
What if i dont want it? (Score:5, Interesting)
Re:What if i dont want it? (Score:3, Funny)
If MS gets their way, I'd imagine they'd range from "eating shit" all the way to "dying."
Embarras MS or educate audience - a win-win (Score:5, Insightful)
1. If you turn it off - as MS claims they're going to allow - will the system then appear to apps, content & the network as "a Palladium PC with Palladium turned off" or as a non-Palladium PC? (Hint: it's the former.)
2. Will I still be able to flash my BIOS? *All* of it? replace it completely? (Assuming TCPA hardware, they're lying if they say 'yes'.)
3. Why would I want to buy this, if I'm not interested in Hollywood movies but do want complete control over my computer?
The real question is... (Score:4, Interesting)
Why would a company restrict the content they provide and thrus limiting their consumers with a tecnology that will divide the world and conquer nothing?
Cheers...
Question (Score:5, Funny)
A. After it is released what is the ETA of the hack that will work around Palladium?
B. How many months will it be before MS comes out with a patch for the above mentioned hack?
Demand? (Score:4, Insightful)
Editorial - I can see people moving in droves back to high-quality analog video and audio editing as a result of DRM technology being forced upon consumers. The whole point of a fast digital computer is to rapidly and conveniently manipulate digital data regardless of the format on a single machine, so any restrictions on doing so is a step back towards single-use analog or simple digital circuits.
Don't they SEE what they're doing in the big picture? The day a personal computer won't compute what you want it to compute is the day you switch to something that will, plain and simple. They're playing with nothing less than the death of the general purpose processor.
Re:Demand? (Score:5, Interesting)
They want to lock everything down and help the industry along back to the era of computing devices, rather than flexible, expandable, personal computers. This new "Freestyle" media center is just the beginning if you think about it. You can't -buy- a Windows Media Center license, you have to buy the software installed on a Microsoft-approved machine. Unless the software industry as a whole fights back against this push, we'll see the death of PC's within the next 10-15 years and the rise of a more fragmented, more expensive series of black boxes.
Why should Microsoft include DirectX in a PC when they have Xbox? Why allow people to build whitebox machines and risk them installing someone else's OS on it when they can tear the PC apart and make multiple "appliances" that conveniently link together bit by bit in order to become what people want? Snap your internet module into your media module, then connect your IO module and run the whole thing on WindowsCE 2010.
Call me paranoid, but I'm really afraid they'll find a way to make this profitable for the whole industry and completely kill the hobbyist when it comes to the new gear down the road.
It Will Be Broken (Score:4, Interesting)
A little history lesson, perhaps? (Score:3, Interesting)
Does Microsoft really believe its best course is to enforce a return to the bad old days of corporate control of computing through Palladium and other DRM mechanisms? Doesn't this route open up the way for a competitor to give people what they really want - control over their systems? Isn't this the beginning of the end for Microsoft?
Microsoft is listening (Score:4, Insightful)
Just something to keep in mind
Re:Microsoft is listening --- AS IF (Score:3)
Re:Microsoft is listening --- AS IF (Score:3, Insightful)
uh...yes?
http://slashdot.org/article.pl?sid=02/10/15/004
Re:Microsoft is listening (Score:4, Funny)
They'll never know.
Who holds the keys? And how many? (Score:4, Interesting)
Engineering holes (Score:3, Interesting)
Re:Engineering holes (Score:3, Informative)
Palladium has a concept called "curtained memory". It is immune to being touched by ordinary code, you have to be in a new CPU mode which is being defined as part of the Palladium spec (some observers call it "ring -1"). Most buffer overruns and similar bugs will not escalate your privileges high enough to touch the Palladium secure area, even if you can get into (normal) kernel mode.
My understanding is that you'd have to find a bug in the OS kernel software component that runs in the curtained area, which Microsoft calls the "nub" or "Trusted Operating Root". They intend to publish this relatively small software component for review in the hopes that it can be made bug free. If so then bugs in other parts of the software will not defeat Palladium security.
What not to say (Score:5, Insightful)
There was a MS representative at the career fair here at UVA and as soon as I mentioned the word linux, the conversation pretty much ended.
2 Questions (Score:4, Interesting)
2. What is plan "B" for a TPA (trusted computing architecture) when Palladium hardware security is defeated and anyone can run bogus signed code?
( I secretly want them to answer "Why, that's impossible, no one could ever break Palladium." )
* The Titanic was an UNSINKABLE ship! *
A line of Questions (Score:5, Interesting)
2. What ramifications will this have on digital content created before the introduction of Palladium? Will it still play?
3. Will the information necessary to create a Palladium enabled viewer be available to public? Or will we only be able to use Windows Media Player to play Palladium enabled content? What are the projected licesing costs for a company that wishes to create a viewer that is able to view Palladium enabled content?
4. Will hardware that requires a signature be able to run content that does not have one? (if yes) Will this then mean that any software that pre-dates the hardware must be upgraded? (if no) Then how will this system differentiate between a desired, older, program, and a virus?
I think a lot of you are missing the point... (Score:5, Interesting)
Now that's out of the way, let me remind you that there's a lot of truth to this often repeated statement. Palladium is, in a lot of ways, a cool, if horribly unoriginal technology (the concept of making software dependent on the presence of hardware to run has existed since dongles).
Regardless of how cool, funny, or "weak" it is as many of you claim, Palladium has two purposes. 1) Palladium is meant to make other deep-pocketed interests happy (more money for MS). 2) defeat any and all competition to Microsoft products.
It's very clear: Microsoft has the say-so in what code gets to execute on a Palladium-tainted computer. What code do you think will be allowed to execute?
You will argue: "It will be cracked." "We can stick with old computers." "This will not be accepted by businesses/consumers." But those arguments are either irrelevant or fall flat on their faces.
First of all, I agree. It will be cracked without a doubt. But do 99% of the users out there know how to use such cracks to free themselves? Do any of you crackers out there realize how complex this system is?
Second, we cannot stick with old computers. This is evident by the fact that there are hordes of users out there running 1GHz processors with half a gigabyte of RAM for the purposes of checking their email. Plus, software will always get more sophisticated and people will always want higher framerates, and so on. New computers will be purchased.
Last, of course consumers and businesses will buy up Palladium hardware! This is, without a doubt, the most absurd assumption anyone can make! "People don't want another DivX!" "People don't want to give up their rights!" Bullshit. People do not even know what their rights are. Not to forget that marketing spins already exist that are meant to convince people that they are getting something (increased security) when they are having something taken away. (Apologize to the guy who coined that phrase.)
Palladium is very real, and it is a very real threat. It will be adopted if it is allowed to continue. Even if we educate the public, it will press on (after all, users running Windows left and right, despite superior alternatives)? Sadly, I have no suggestions on how to deal with it... but we must certainly not take it as a laughing matter.
Have you considered an internal investigation? (Score:3, Funny)
A few questions I've been pondering myself (Score:3, Interesting)
What kind of performance hit can users expect to have when using encrpytion/DRM? And can they provide any benchmarks to back up any claims?
How much hardware will have to be "upgraded" to work with Palladium-enabled software?
What is the expected lifespan of Palladium security? I'm talking about this rev, not any "future versions".
Speaking of security, what kinds of encryption are they going to be doing? IIRC, TCPA calls for both symmetric and public key encryption. Key lengths? Uniqueness of keys? Disposablibity of keys? Key storage by third parties for any reason? Proof of any of the above (particularly the last one)?
How can a user ascertain if their system is running in "trusted mode" or not? Is it technically possible for a "trusted mode" to be running without the user's knowledge or consent? And, of course, how would they prove it?
Do users have the ability to determine all that is running on their system in or out of "trusted mode"? Let alone control that?
I believe I read somewhere about Palladium being able to create "vaults". If so (and I just wasn't hallucinating. Again), can multiple "vaults" be created, or even nested? Again, does the user have the ability to easily determine and access all vaults? If not, why not?
Speaking as someone in academia, how will this affect those of us trying and developing software and even hardware (unfortuneately some of the tools I've personally used have required the use of Windows)?
Why palladium does not work (Score:3, Insightful)
I don't know why people are so excited about Palladium. It can not function as they claim it. This is a fact, because nobody can ignore the reasons, at least not in this universe. I'm always under the impression that there are people who sell some highly speculative and esoteric garbage. They claim something that cannot work. And still there is applause for these people, for whatever reason. And if enough applause is around, everybody claps his hands, too, without knowing why. Anyway, Palladium will never do what it is claimed to do, it cannot function reliably and every child with a little skill in mathematics can find a proof for this fact. I will give this proof now.
Introduction
A computer is a formal system which you can analyze in various ways. Mathematics gives us nice measures to do it. These measures allow us to give predicates about ideas like Palladium without even knowing anything about their inner details.
If we assume a correctly functioning computer, this predicate is wrong. A computer is a system which can from its boot strap state reach only a finite number of states, while a Turing machine can reach an infinite number of states.
An ideal computer, which would have an infinite amount of memory, can emulate a Turing machine and is thus equivalent to a Turing machine.
This predicate is wrong. The finiteness of states a computer can reach is not disabled by the much larger finiteness of a network. Because the network, as opposed to the computer, grows over time, it can be seen as an unlimited amount of memory. You would just have to wait until someone, somewhere on the planet adds more memory to the network. However, this memory is over-directed and so the system is no longer deterministic. Therefore a computer with network connection is a non-deterministic system. Non-deterministic systems are not Turing machines. Any computer is deterministic if and only if the computer controls the network connection. This control is finite, because the computer has only a finite amount of states available. So a computer can still only reach a limited number of arbitrary states. That's why a computer is still no Turing machine.
This predicate is right. Since a Turing machine can emulate every deterministic computer, all limitations that are put on a Turing machine are also valid for the emulated computer.
A Turing machine is deterministic and is thus countable. Therefore it is imperfect as a formal system in the Goedel sense. Hint: In imperfect systems it is possible to pose a problem that cannot be solved within the system (e.g. the formula x*x = -1 in the real number system).
Based on these introductory insights a conclusion can be drawn now.
Evidence
This demand is legitimate. A security risk is, by definition, something that you cannot completely abandon. A computer connected to a network is non-determenistic and as such a security risk. A deterministic computer that does no longer react in a predictable way as soon as you connect it to a network is undoubtedly a security risk, because you can no longer tell what the computer does and why. Everyone should seek to avoid security risks with computers. Especially a platform that claims to make a computer more secure must be bound to this insight, otherwise it would increase the security risks instead of decreasing it.
This predicate is wrong. We assume that a computer does not work in a determenistic way with Palladium and it thus constitutes no Turing machine. On the other hand Palladium supervises the data processing inside the computer and cuts off certain states. Therefore the computer loses a lot of its possibly reachable states, that is the number of possible states becomes "even more finite" than it was before. If the computer remains deterministic, then the total number of states is lower than that of a computer without Palladium. For this reason a computer with Palladium is no Turing machine, either. (This is too bad. Would a computer with Palladium constitute a Turing machine that would be a direct proof that Palladium does nothing, because all Turing machines are principally equivalent).
This predicate is wrong. Either Palladium makes a computer insecure (see above: security risks) and will therefore not fullfill this claim, or Palladium is as a formal system imperfect by principle. Imperfectness in this case means that you can impose a request upon Palladium that it cannot fullfill, by principle. Since Palladium wants to give improved security, it either can not accomplish this claim or it has to limit the usage of the computer so that there is no way to use the machine for the broad number of tasks like before. The Goedelization in this case assures us that the limitations are by no means imposed on unwanted operations, which Palladium wants to prevent, but on wanted operations which Palladium permits (or even disres) for the user. It is irrelevant if I can now give a significant example for this or not. The fact is, simply put, that thanks to Goedel can construct such an example. That's why Palladium can again not fullfill its claim. The user is prevented from doing things that he is permitted to do due to Palladium, even though these operations are desirable.
The final conclusion will be drawn now
Conclusion
I assume that at Microsoft there are bright minded people who know enough about mathematics to not only be able to follow my implementations, but rather knew them long ago. I assume this because there's not much behind it. And therefore I assume that Microsoft knows that Palladium can not function in the way they claim.
Now that raises the question why Microsoft still propagates Palladium in the way they do? They should know that their claims are wrong. I see only two possible reasons for this riddle:
Either Microsoft wants to mock up activity in the security sector, which in reality doesn't exist and in such way gain market shares by marketing fluff.
Or Microsoft exactly knows that the computer will become completely uncontrollable with Palladium, because every networked computer with Palladium will work in a non-deterministic way. The non-determinism in this case helps specificially the one who controls Palladium, and this means Microsoft and Intel. But it will be exploited by hackers as well.
Since I make the assumption that the uprising damage from the second case would make an unrecoverable loss for the companies, I firmly believe that Palladium is marketing fluff. Professionals will turn off Palladium to have a (more) secure computer again. For consumer computers this might be a different case, but certainly no sysadmin is going to blindly accept an increased and easily avoided security risk.
Palladium most probably is nothing but marketing fluff without any backgroud - except moneymaking.
We shall not fear Palladium. If it was impossible to turn off Palladium, every computer's value would be zero if it was not connected to the net. And if it was connected to the net, it'd be completely indeterminate what the machines does. At least that's the consequence of Goedel's proposition of incompleteness.
Tino
Original text (german) can be found on: http://20k.de/postnuke/modules.php?op=modload&nam
Final word from the translator, ie. me: English is not my mother tongue.
Can Peripherals Use Palladium? (Score:3, Interesting)
Will it be possible for new peripheral devices, like disk players for Super Audio CD or DVD-Audio, to use Palladium to make sure that only "authorized" (by the drive manufacturer) software can read the data from the disk drive? I.e. will the drive firmware be able to use Palladium to get an attestation on the secure hash of the running software that is trying to access the drive?
This would end unauthorized ripping of data from these new formats, which would be tremendously valuable to the content companies. It is plausible that these companies would only allow their drives to go into computers if Palladium could provide this assurance. Therefore by providing this capability, Microsoft would make PCs more attractive and useful to consumers, sell more copies of Windows, and make more money.
Microsoft has both the incentive and the technological capability to do it. But they haven't said if they will, and none of their public discussion has touched this issue. Please ask them.
I can really only think of one question: (Score:3, Insightful)
KFG
Question of the Century (Score:5, Funny)
Slashdot readers froth at the mouth (Score:4, Insightful)
I think this should be treated the same as any invitation to submit questions to an interviewee.
MS, in this case.
It's disappointing to see the flamage herein. Yep, Slashdot may be homogenizing, as some have asserted - becoming bland, grey, doubleplusungood sameness in all directions. Personified by Prolific Puking Proselytizing Punks!?!
Yet ---- on the flip side, there are too many superficial questions asked, which by their phrasing or their supposed "subtlety" or "indirection" will somehow be "sprung" upon the erstwhile MS drones standing under the bright lights.
Sigh.
This is a very rare opportunity, if indeed someone will represent "our" interests at this forum (and assuming the chance to speak).
We should be asking all the questions that have come up before, but that have not yet been answered: in Salon [salon.com] by Bruce Perens ('Perens is convinced that Palladium will let Microsoft decide which applications can run on a machine and which are simply too unsafe for public consumption -- such as programs written by open-source hackers. Perens even thinks that's the point of Palladium: "It's designed to kill off open-source development."') and in Dan Gillmor [siliconvalley.com] ("Microsoft has launched its Palladium initiative, a hardware-software system designed to make computing more secure from viruses and malevolent hackers. Palladium, unfortunately, could also be used by intellectual-property owners to lock down copyrighted materials in ways that would damage users' rights. Critics have also suggested that Palladium could be used to freeze out open source software -- and they make a compelling case.")
A few example questions:
What is Microsoft's response to Cringely's allegation that data will no longer be "permanently readable" - a characteristic of computing that is taken for granted today?
What is Microsoft's position today on this issue?
Is this DRM part of (or related to) Palladium? In any event, what recourse will users have when (if) their existing software ceases to function as a result of these new "features"?
Search Google, read all the material, find the unanswered questions - and it won't matter that Microsoft sees this slashdot thread. Ask the questions that MS knows about, but has not been able or willing to answer...
What, Why? (Score:4, Interesting)
Does your computer trust you? (Score:3, Insightful)
What Palladium does is to enable the computer to NOT trust its owner.
Any other problem allegedly solved by Palladium can be solved without it.
Really!!
Can an interpreted language run under Palladium? (Score:5, Interesting)
Say I write something in an interpreted language, Python, Perl, Java, whatever.
The interpreter binary that runs the code is signed, totally officially Palladium-fine.
Then I can write any Python code that does whatever, can't I? You can't sign the ASCII source code.
I conclude that any language interpreter, or any application that has any sort of scripting language (say IE, Outlook, Word) can't have any means of breaking out of DRM in the language or it won't be certified. This is unbelievably crippling.
Re:Wha is the point behind Palladium? (Score:5, Interesting)
Re:Wha is the point behind Palladium? (Score:3, Interesting)
It's unlikely to work, of course, due to the huge line between a hardware geek and mainstream user.. but I think it could make some kind of dent. Certainly one that could last until someone is able to bypass/crack/trick Palladium.
So, I say let them do whatever. Last I checked, my Athlon XP 1500 ran FreeBSD very smoothly.
Re:post paladium (Score:3, Funny)
5) (Inconceivably large amount of) Profit
Re:Linux is not the answer (Score:3, Funny)
Thank God my XP box is compatible with the Internet. I can tell The Internet is working, because ZoneAlarm keeps telling me when Media Player tries to Phone Home.
Re:Second post! (Score:4, Insightful)
Since Brian LaMacchia was an MIT doctoral student of Hal Abelson who is the prof concerned, chances of that happening are nil. I presume he is giving the talk as he is also speaking at another event on Friday.
Brian designed much of the security architecture for dotNET which is pretty much state of the art for network application security. He also started the MIT PGP key server. Whatever Microsoft's past reputation might be, Brian is not responsible. Don't confuse the security abilities of the folk who write IIS or Outlook with the abilities of security specialists. As a group there are very very few organizations where anyone listens to us. Netscape had a really bad problem with security until they hired Taher and the brothers Weinstein and they only got listened to there because Netscape got burned baddly in several fiascoes in succession - like SSL 1.0 being broken before Marc sat down at the end of his presentation, the random number bug which they had been warned on repeatedly, etc. etc.
Don't fool yourself, all computer software companies have security problems that need to be addressed. I don't think the open-source scheme to get security consulting for free is going to be a good long term solution.
The point that slashdot people miss on Palladium is that for years the common rebuttal to a lot of security solutions has been 'you can't do that without trusted hardware'. So the fact that MSFT is pumping money into developing a trusted platform is a significant step forward.
OK folk may not like trusted hardware being available to the RIAA, but they are not the only people who can benefit. It is kinda like the same situation we had with key recovery and Clipper. Freeh was right, there are commercial uses for key escrow, it is kinda a problem if you have an encrypted disk and there is no copy of the key anywhere. Problem was that Freeh's illegitimate demands killed the legitimate market. Don't let the RIAA do that with Palladium.
For example storing your credit card # on a PC makes no sense, people still do it. They can do it a heck of a lot more safely if there is a trusted platform which will only allow trusted wallet applications access to that key.
Another example, for years we have wanted to have PCs that simply refuse to boot except to repair mode if the O/S has been tampered with. That way a trojan or virus can't lurk for years. Tripwire tries to do something like this but it really is a substitute for secure H/W
The Palladium folk know that any hardware scheme is vulnerable to hardware attacks. That does not make such schemes unworkable however. Despite the fact that smartcards are vulnerable to electron microscope attacks they do raise the bar significantly.
Re:Second post! (Score:3, Insightful)
Typically you'd rather lose data on an encrypted disk than risk it being compromised. Key recovery and key escrow go directly against this. Replacing mathimatically proven security for a human trust form of security = Bad idea.
As for storing a CC number on your computer and only allowing trusted wallet applications to access it. Sure, its rather stupid to store stuff like that on your computer. However you are far more likely to get it stolen from the other end. The server is known to have them and has a lot more than some random computer. I'm also not convinced that this system makes your data any more secure than an entirely software solution using encryption.
Finally, if you want to prevent a computer from booting if tampered with. It is pretty easy to boot from a write protected floppy. Put whatever verification you want on that.
Perhaps there might be some good uses for this technology, but I'd rather try to make esisting technology work than be forced to give up the control that MS/RIAA/MPAA want.
Re:Second post! (Score:3, Interesting)
Typically you'd rather lose data on an encrypted disk than risk it being compromised. Key recovery and key escrow go directly against this. Replacing mathimatically proven security for a human trust form of security = Bad idea.
You sound an awful lot like Bruce didfive years ago before he got a clue and wrote secrets and lies which is all about why mathematically perfect systems are not what people want. BTW the main objection to Palladium is that it may not work if it is too perfect.
I sell key recovery systems, all my customers disagree. There are very few companies who would like to loose their accounts (other than those run by close supporters of George W Bush). If there were no demand for key recovery I would not sell it.
As for storing a CC number on your computer and only allowing trusted wallet applications to access it. Sure, its rather stupid to store stuff like that on your computer. However you are far more likely to get it stolen from the other end.
Not so, we can encrypt the cc number so that it is never known to the merchant (apart from the last four digits). SET did this years ago, it failled in part because of complexity but also because of the store on the PC issue.
Finally, if you want to prevent a computer from booting if tampered with. It is pretty easy to boot from a write protected floppy. Put whatever verification you want on that.
That is not particularly practical and not particularly secure either. Unless you can put the whole TCB onto a floppy (hint you can't get much of UNIX onto a floppy) then the attacker can compromise other system files and you are toast.
Re:Ask This (Score:5, Funny)
Maybe because we can't grammatical sentences?
Re:Alternative Roots of Trust? (Score:3, Interesting)
Anyone the content owner selects.
The point is that the content owner has control here. If you don't want to palladium control the video you send to granny then don't lock it, if you do want it protected then lock it.
A more significant question is 'will companies not affiliated with major labels be able to use palladium to control access to their content without discriminatory terms?' In Europe Rupert 'Fox news is not biased right wing crap' Murdoch got control of the independent satellite chanels because he had control over the encryption scheme implemented in the decoders and could discriminate in the charges to use it. The labels could use a similar mechanism to keep out indie labels and band owned labels.
There does have to be a root for hardware though. Microsoft has not yet said how the root will be managed, however since Brian stuck all the SPKI stuff into dotNET he does appear to be into single rooted hierarchites.
Assuming that the harware manufacture will follow the DOCSIS model (which TCPA seem to be doing) there will be a root owned by some manufacturing consortium that any manufacturer can get certified under provided they undertake to meet the trusted criteria.
Re:ask them... (Score:5, Funny)