The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  
 

  *  

  Microsoft slammed for Palladium 'lies'
Time: 10:57 EST/15:57 GMT | News Source: VNUNet | Posted By: Byron Hinson

Critics have slated a Microsoft document on its upcoming Palladium digital rights software as containing several outright "lies". The 1,500-word frequently asked questions (FAQs) paper gives some details about how Palladium will work and how it relates to digital rights management and the Trusted Computing Platform Alliance. It is in part a rebuttal of the FAQ on Palladium from Dr Ross Anderson of Cambridge University, which can be found here, which is highly critical of the software.

Write Comment
Return to News

  Displaying 1 through 25 of 337
Last | Next
  The time now is 12:58:16 AM ET.
Any comment problems? E-mail us
#1 By 1845 (12.254.162.111) at 10/29/2002 11:20:22 AM
Highly critical of the software that doesn't yet exist? That seems a little odd.

#2 By 1845 (12.254.162.111) at 10/29/2002 11:30:04 AM
Dr. Anderson needs to learn a thing or two about academic honesty before publishing such garbage.

This post was edited by BobSmith on Tuesday, October 29, 2002 at 13:59.

#3 By 135 (209.180.28.6) at 10/29/2002 12:22:44 PM
How can a white paper from Microsoft describing a concept that doesn't fully exist yet, but is still being developed by Microsoft amount to lies?

Honestly I still haven't figured out exactly why I need Palladium, but that's a point for another day.

#4 By 1845 (12.254.162.111) at 10/29/2002 12:50:18 PM
It's your Pal, blue! Oh fine, another day then.

#5 By 2459 (24.233.39.98) at 10/29/2002 1:02:49 PM
The only lies I see are from the doctor. As stated above, he can't do anything other than make assumptions about technology that isn't yet implemented. There are also a major flaws in his logic: Palladium will be an open specification that anyone can implement. If opening a document depends solely on having a trusted system (Palladium is the name for the MS hardware/software implementation), them you will be able to open that document with any platform that comforms to the standard without fear of the DMCA.
------------
"You can choose to use Palladium in the same way people choose to use Windows: if you want to run a business or exchange data with anyone else you'll have to use it."
-------------
This depends on what Palladium features are utilized by the software, and whether the business requires Palladium to be active for the data they exchange. They can always turn it off. And if the features utilized do not impede the sharing of the data, those features would just not be used on a non-Palladium platform. And, again, Palladium does not tie you to Windows. It can be implemented on other platforms. The only thing they may be Windows specific are some of the software services implemented in the Windows version of the Palladium API. Given enough time, even these features could be cloned on other platforms.

Last, this guy makes the same mistake as others who have tried to examine Palladium. He confuses it with TCPA. Palladium is NOT TCPA. It is nowhere near as restrictive.

#6 By 2459 (24.233.39.98) at 10/29/2002 1:03:49 PM
Yeah, B, it's your Pal. :-)

#7 By 3339 (65.198.47.10) at 10/29/2002 1:15:41 PM
Wait, a second... this guy has been attending conferences attended by scientists, academicians, and people in the industry--why are people presuming he's making stuff up? If he says anything up until the day a physcial product is released with the software and the chip, he's lying but until then MS can make whatever promises they want to? Baloney!

And as far as what I read, he's not saying much but the obvious--MS wants to say you have choice, but you don't have choice if the software chooses to use the technology in some way that you disagree with. That's his point, and that's obvious. MS wants to spin that as choice, but really, the only choice is: if new tech uses Palladium technology, and you want the choice to not use Palladium, you can choose to use older tech that doesn't use the technology. That's not user choice built into the hardware/software solution--not the choice that MS is semantically, marketingly professing...

#8 By 2459 (24.233.39.98) at 10/29/2002 1:37:15 PM
I never said he was making stuff up. I said his logic and assumptions are flawed. He is confusing Palladium with TCPA. He even mentions controlling the boot process. Palladium has no control over the boot process. It is not a locked-down system like TCPA. Palladium is basically an API that allows developers to take advantage of OS-provided security features. The technology most people fear, DRM, has nothing to do with Palladium. DRM is in the OS now. Palladium just allows that included DRM to be more effective by consequence of the hardware layer allowing an architecture that is harder to crack than a software-only solution. The hardware offers features such as masking the memory space of a running application. If this were a software-only solution as it exists today, it is exponentially weaker and more prone to hacking, especially one-method-multiple-system hacking. The hardware adds an extra layer of resistance, and keeps script-kiddie cracks from working on multiple systems.

#9 By 2459 (24.233.39.98) at 10/29/2002 1:38:06 PM
By the way, have you met your wannabe, sodajirk, yet?

#10 By 2459 (24.233.39.98) at 10/29/2002 1:40:28 PM
Actually, looking back, I did imply he was making stuff up. :-)

"The only lies I see are from the doctor."

#11 By 3339 (65.198.47.10) at 10/29/2002 1:59:02 PM
Yes, you certainly did, and your number 8 post just goes of in the circle that is not descriptive and defensive MS-speak.

No, I haven't met jirk yet.

It's ridiculous to say Palladium has nothing to do with DRM if you are saying that DRM is uneffective being software only but with Palladium you will be able to strengthen and lock it to hardware... That is a direct conenction to DRM. Palladium strengthens and provides an API for hardening/enabling DRM. In your own words, more or less.

This post was edited by sodajerk on Tuesday, October 29, 2002 at 13:59.

#12 By 2459 (24.233.39.98) at 10/29/2002 2:13:16 PM
beeyp, I'm referring to the users, of course. It takes a bit of skill to write the exploit, but none at all to use the exploit when it is nicely packaged and requires little effort to execute. Script kiddies brag about their leetness, but don't do any of the work.

SJ, True, but those same hardening techniques apply in a general manner to any software a developer wants to use those features. DRM strengthening is one of many uses the hardware/software solution will provide. Making the OS and applications more crash-tolerant by restricting access to certain processes is also a chief benefit. DRM will exist either way, but it taking advantage of Palladium features is no different than any other application using them.

#13 By 3339 (65.198.47.10) at 10/29/2002 2:16:13 PM
What I haven't heard is what it will do otherwise that I need? How will it prevent spam and viruses without simply using existing techniques or layering on a whole complex trusted parties network? Will it only be effective if trust relationships are granted/maintained? What other protections does it offer? I don't get hacked, I don't get spammed, I don't get infected with viruses.

If MS doesn't want outside sources talking about what they think Palladium is, maybe they should actually start saying what it does, that hasn't been done before, and which needs to be done, without causes further hassles. WIthout that question answered in that way, they deserve to have the wildest speculation to run rampant on their ass (not that I think Anderson's speculation is rampant speculatin nor do I think that serves others' interests best), but it is what MS deserves.

#14 By 2459 (24.233.39.98) at 10/29/2002 2:20:19 PM
To add, my main "beef" is that this guy makes the assumption that Palladium is TCPA when there are clear, documented differences between the two. Everyone harps on Palladium based on content taken from TCPA instead of from the people actually designing Palladium. All this does is make people explain their dislike for the technology based upon the misinformation of sources such as this. DRM was like this. Product Activation was like this. Many others.

#15 By 2459 (24.233.39.98) at 10/29/2002 2:22:48 PM
That's just it SJ, they have been saying what it does. I've posted many links to info right from MS' site that explains Palladium. I'll try to find my most recent post and repeat it here.

#16 By 2459 (24.233.39.98) at 10/29/2002 2:25:49 PM
He also makes false claims about how XP works. All of his links to Palladium info come from third parties that know just as little as he does. It's not that hard to find the MS info.

Oh yeah, Master poster status, woo hoo.

This post was edited by n4cer on Tuesday, October 29, 2002 at 14:28.

#17 By 3339 (65.198.47.10) at 10/29/2002 2:26:56 PM
Oh, so now the main reason for Palladium is to prevent crashes? Ahh, the ever-evolving, ever-moving target that is Microsoft's desire to avoid the issue, foist unnecessary tech, and FUD the competition and opposition. Uh, huh. Shouldn't XP (simply being the best NT edition thus far) prevent those crashes? Shouldn't a .Net-based OS prevent those crashes? What crashes are you talking about? And how is unauthorized, unmanaged code that causes my system to crash getting on and running on my computer in the first place? This simply (from a good security perspective) shouldn't happen--good security doesn't say: "yes, now it's okay to have unauthorized, unmanaged code running on your OS because there is a hardware layer now to stop it!" Ridiculous.

I love the gist of your argument: yes, DRM is a main feature directly related to Palladium, but there are other completely useless features of Palladium. Because DRM exists anyway, and because Palladium can be accessed by other software for other reasons (crashes? really? Is this a problem that only now requires an additional chip, a year or more of development, all this press and controversy, additional costs, additional restrictions... now... when this problem is finally going away? Uh, huh), you should ignore the fact that it's main use is DRM.

#18 By 2459 (24.233.39.98) at 10/29/2002 2:31:23 PM
The features are far from useless. They can prevent co-opting of code by malicious applications.

"And how is unauthorized, unmanaged code that causes my system to crash getting on and running on my computer in the first place?"

You download it, of course. Maybe not you, speciffically, but think about average Joe.

#19 By 3339 (65.198.47.10) at 10/29/2002 2:33:20 PM
enforcer, that's just it: they haven't. I've read their info. I don't know why you feel like when you've posted ten different links, you've blown someone's mind or something. I 've read the links and I wholly agree with Andersen--they are lying. I haven't read a single benefit. I haven't read why I would want this. I haven't seen the need for this demonstrated. And, yes, I read.

Even in this discussion, all you have said so far is: yes, Palladium is directly related to DRM, but it will also make Windows, oops, I mean, an OS (do you actually think any other OS is interested in Palladium besides Windows) more crash-tolerant.

That's it. Meanwhile, there's a bunch of Microsoft blather in between and some disagreements with this author.

#20 By 3339 (65.198.47.10) at 10/29/2002 2:40:08 PM
"You download it." No sh!t, shirley! And who grants trust to apps and docs? And why do I have to get embroiled in granting trust to people and apps and docs when I don't need to now? And do you think it'll be impossible to gain trust from the average Joe?

Just because something may have a use, doesn't mean it's not useless. If that use is so negligible, or it creates additional difficulties, or if that use doesn't need to be met or can be met by something else, it is quite useless.

#21 By 2459 (24.233.39.98) at 10/29/2002 2:58:34 PM
You don't understand, sodajerk. You don't have to grant trust beyond what is currently required in things like .NET apps. Even so, Palladium systems will still run untrusted code if the user desires. If the user decides to download klez.win32, he is free to do so. If he wants to play unprotected content, he is free to do so. What Palladium does in a case like this is protect malicious code from invading the memory/process space of other apps or the OS.

It does this via:

Curtained memory. The ability to wall off and hide pages of main memory so that each "Palladium" application can be assured that it is not modified or observed by any other application or even the operating system

Attestation. The ability for a piece of code to digitally sign or otherwise attest to a piece of data and further assure the signature recipient that the data was constructed by an unforgeable, cryptographically identified software stack

Sealed storage. The ability to securely store information so that a "Palladium" application or module can mandate that the information be accessible only to itself or to a set of other trusted components that can be identified in a cryptographically secure manner

Secure input and output. A secure path from the keyboard and mouse to "Palladium" applications, and a secure path from "Palladium" applications to a region of the screen

All of which can be disabled by the user, or simply not utilized because the user's system does not have all of the needed components. Many features of Palladium are in existence today. Trusted computing is available via .NET. This is basically an extension of what is currently available.

As to who else will implement Palladium: There was a rumor that IBM or HP would implement it on Linux. It's the same as asking the question of who, besides MS would implement .NET. No one though it would be on Linux until Ximian started working on it.

#22 By 2459 (24.233.39.98) at 10/29/2002 2:59:29 PM
And, don't call me shirley. :-)

#23 By 3339 (65.198.47.10) at 10/29/2002 3:07:12 PM
enforcer, I understand fully. This is mostly accomplishable in software. This hardware solution will require recoding, and can simply be bypassed. The bypass may not affect as much, but if the functionality is chosen to be circumvented, why did I need it in the first palce. Everything you mention: curtained memory, attestation, sealed storage, and secure I/O can be accomplished through software, and MS hasn't... Why do I need to give them the chance to fail at providing it through hardware?

#24 By 1845 (12.254.162.111) at 10/29/2002 3:07:52 PM
I think this is your latest, n.

http://www.activewin.com/awin/comments.asp?HeadlineIndex=12918&Group=1

#25 By 2459 (24.233.39.98) at 10/29/2002 3:14:38 PM
Thanks Bob.

SJ, the thing is, some of these features are implemented in software, but MS realizes what others in the industry do. Anything done in software, no matter how good, is open to attacks. If you use hardware, you can make it so that an attacker would have to gain physical access to the system to circumvent the security. You can also make it so that breaking into multiple systems requires multiple techniques. With hardware, you gain the advantage of having a component that can't be changed as software can.

CAPCOM did this to prevent hacking of their arcade games.

This post was edited by n4cer on Tuesday, October 29, 2002 at 15:15.

Write Comment
Return to News
  Displaying 1 through 25 of 337
Last | Next
  The time now is 12:58:16 AM ET.
Any comment problems? E-mail us
User name and password:

 

  *  
  *   *