Vista Security The 'Longest Suicide Note in History'?

rar42 writes "The Inquirer is reporting on an analysis of Vista by Peter Gutmann — a medical imaging specialist. This isn't the usual anti-Microsoft story — just a professional looking at what is going to happen to his computer if it is upgraded to Microsoft Vista. From the article: 'Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called "premium content", typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost,' says Gutmann."

Unnecessary Decline?

[P(0)(!P(k)+P(k+1)) (1012109)]

From TFA:

If I do ever want to play back premium content, I'll wait a few years and then buy a $50 Chinese-made set-top player to do it, not a $1000 Windows PC. It's somewhat bizarre that I have to go to Communist China in order to find vendors who actually understand the consumer's needs.

At first, I shared some cognitive dissonance with Gutman; China, however, is governed by Chinese and for Chinese: they're allowed to act in their own best interests.

The U.S., on the other hand, is beholden to parasites and corporations; and compelled into an unnecessary decline.

Re:Unnecessary Decline?

[ravenshrike (808508)]

China, however, is governed by Chinese and for Chinese

*cough* I think you meant by Chinese Corporations for Chinese Parasites who also happen to hold government positions.

Re:Unnecessary Decline?

[by Anonymous Coward]

The U.S., on the other hand, is beholden to parasites and corporations

*cough* I think you meant by Chinese Corporations for Chinese Parasites who also happen to hold government positions.

Fixed that for you, you quoted the wrong part of his post.

Chinese DVD players

[tgibbs (83782)]

I currently have a Chinese-made upconverting DVD player. Chinese made because the US and Japanese manufacturers have knuckled under to the demands of the entertainment industry that no DVD player will output HD content over component video cables. (Now think for a moment just how mind-numbingly stupid this restriction is. Upconverting DVD players don't actually output video in true HD, because the movie isn't on the DVD in HD in the first place, and no process can add more information that was there to begin with. All an upconverting DVD player does is interpolate. An upconverted signal is the absolute last thing that any pirate could want, because it massively increases the amount of data required to copy the signal, without adding any information. So the entertainment industry, out of sheer ignorance has added a completely useless restriction that imposes considerable inconvenience on the consumer. Many older HD TV's only have component inputs, and even newer ones typically have only one HDMI or DVI input. And HDMI/DVI switchboxes are much more expensive than component ones. So consumers end up switching cables, shelling out extra money for switchboxes--or doing what I did, and buying a Chinese DVD player that is oriented toward the consumer instead of sucking up to the content industry.

Re:Unnecessary Decline?

[cgenman (325138)]

Eventually to maintain that growth they'll have to start protecting rights or they'll become a victim like they have been victimizing the rest of the world. How good do you feel paying $10 to see a movie so the Chinese can pay a $1 for a DVD?

It's funny you mention that. I was in Thailand not too long ago, and the price of a legal, licensed VCD was about $1. Legal DVD's were about $40, because they were a luxury item that only the rich could afford anyway.

Companies charge whatever the market will bear. If movie studios think they can get $10 out of an American audience to watch a movie, that's what they'll charge. It doesn't matter what's going on in China, except to say that they'll throw up all sorts of technical and legal barriers to importing their cheaper goods from that region. Likewise, a new CD in Brazil can cost 3 - 5 dollars. Again, legally.

China and other less restrictive countries are looked upon as bastions of IP freedom because there are some major ways in which they are. India, for example, allowed knockoff drugs for a very long time on the grounds that it was immoral to value western company's exploitive drug pricing schemes above human life. Go to Taiwan and *gasp* you can get DVD players that will let you play movies you have legally bought and paid for in any region of the world. You can get CD's in other regions of the world where the corporations convicted of illegal price fixing actually compete with local music companies and pirate CD creators to come to a more reasonable cost structure. Heck, until a few weeks ago you had to travel abroad to get the cellphone you've purchased unlocked from that one restrictive provider.

All of the above seem reasonable, but are completely banned in the US. It's nice to go to a country where the huge companies do not simply write whatever laws they want, but have to contest with the needs of the consumer, who have alternatives to the restrictive legal route.

China is also not communist, but that's another issue.

Of course there was entertainment...

[NotQuiteReal (608241)]

Back before DRM and copyrights there was Banjo music.

Live banjo music, played by relatives, close relatives. Very close relatives.

Well then don't use it

[Average_Joe_Sixpack (534373)]

You're not supposed to use a consumer grade OS for mission critical apps anyway. So if you went with a vendor that builds its apps on such an OS, then you are at fault.

Re:Well then don't use it

[ceoyoyo (59147)]

Unfortunately there's very little choice. The systems that run medical scanners tend to run some form of UNIX, and you can buy a workstation for a couple hundred thousand that will do the same thing, or you can use the hospital's PACS web front end... which in most cases works pretty much exclusively with IE.

Brief Outline of Medical Imaging Information Flow

[Ears (71799)]

This is part of the subtext both of the original article, and of this most recent post, so I thought I'd share what I know about it. FWIW, I'm a radiologist--that is, an MD who interprets the results of imaging studies--and an informatics geek.

Images are created on whatever imaging device--CT scanner, MR scanner, ultrasound machine, digital X-ray machine--and manipulated by the device's controlling system to do simple annotations, reformatting, etc. This is typically a Unix-based system running custom software designed and maintained by the device's vendor. The images are not usually interpreted on these systems.

From there, the images are sent to the PACS (Picutre Archiving and Communication System) [wikipedia.org], which is just a gigantic central image database. These also tend to be Unix-based systems.

There tend to be two front-ends for looking at images in the PACS database. The first is the radiologist's interface, which is a high-end video workstation dedicated to showing medical images with the greatest possible fidelity. Most systems I've seen are Windows-based (Windows 2000, in our case) and run software which was built by the the imaging system vendors in the late 1990's. Much is made of the "lossless" nature of the images which are displayed; for example, when you log into such a machine, you're warned about how "This is a medical device" and that you shouldn't mess with it. Much is also made of "diagnostic-quality monitors" and high-end video cards to drive the monitors. This is an artifact from the early days of digital imaging interpretation in radiology, when there was a great deal of concern about whether the quality of the digital images would be adequate for us to figure out what was going on in Grandma's chest X-ray if we weren't looking at a piece of acetate. Most of these concerns have died away, as the differences in resolution and dynamic range turned out to be relatively minor and the added conveniences of being able to manipulate the images digitally turned out to be huge. For example, the new LCDs I seen being put on PACS workstations are off-the-shelf Dell 22-inchers, as far as I can tell.

Finally, there are "non-diagnostic" interfaces to the PACS images, which do tend to be web-based. These are so non-radiologist doctors can look at the images, too. Some are IE-based, and use an ActiveX control to display the images, and some use a Java applet. These are displayed with lossy compression (since someone might want to look at them from off-site via a VPN), and officially are not allowed to be used for interpretation. And in fact, I wouldn't want to; it's a lot harder to see subtle things on them than on a full-blown PACS workstation. Part of that is just the interface (it's hard to use those stupid ActiveX/applet things) and part of it is crummy/mis-configured monitors, but I suppose compression artifacts could also play a role.

So, to review: you go see your doctor, Dr. Smith, in her office, and she orders a chest X-ray for you because you're coughing and have a fever. You come to the hospital, and the nice technologist takes frontal and lateral view of your chest on the digital X-ray machine. He then goes back to the X-ray control room, and sees that the images are pretty good, and so he sticks your name on them, and a marker of the date/time and his name, and so on, and then sends them to the hospital's PACS system. I (the radiologist) am working at my PACS workstation, going through the long list of all of the CT scans, MR scans, and X-rays taken in the hospital. I get to your chest X-ray and look at it; I don't seen any sign of pneumonia, so I write a report (the subject of a whole different set of informatics) that basically says "Clear lungs" and that gets entered into your electronic medical record. Then, Dr. Smith back in her office can see your X-ray via her Web-based interface. If she wonders about something she sees, she can call me up and say, "What's that stuff at the left ape

It was supposed to be a C3 O/S !!!!

[Cassini2 (956052)]

Many industrial and medical applications run on Windows. You forget that Windows NT was advertised as a high-security C3 operating system. Many applications were ported on this advertising. Some of the lock-down permissions in Windows NT were pretty draconian, and worked really well.

With Windows Vista, Microsoft appears to be completely abandoning any pretense of high-reliability.

Many industrial and medical applications have fairly high reliability requirements. Using commodity software and hardware has some cost and reliability advantages. It is easy to source replacement parts, and implement hardware redundancy. Being able to easily obtain replacement hardware is a big advantage if downtime costs are large.

The problem is that Microsoft appears to have abandoned the high-reliability sector. Windows XP has a continuous stream of rolling updates for both XP and the Anti-Virus packages. The result is that your high-reliability application can stop working for no apparent reason. From all indications, Windows Vista will make this worse.

Recently, I have been looking harder and harder at Linux. Linux offers a much more stable platform, and I can customize the installation to make it much more difficult to corrupt. The issue is that such a high software investment has been placed in specialized Windows solutions, that it is difficult to port everything to another operating system overnight.

Dupe from Friday

[ahecht (567934)]

Same story at http://it.slashdot.org/article.pl?sid=06/12/22/172 7245 [slashdot.org]

Re:Dupe from Friday

[tygerstripes (832644)]

If they dupe this every other day until next June, it is good.

If? You must be new here. Welcome to Slashdot.

Not an "upgrade", just a different flavor

[by Anonymous Coward]

Microsoft was legally forced to remove version numbers from Windows as the software they ship was technically no longer improved.

Primary Sources, FTW!

[Grym (725290)]

Here's a link [auckland.ac.nz] to the actual paper referenced in the article.

I would post the entire paper, but it's too large. Here are some notable excerpts:

However, one important point that must be kept in mind when reading this document is that in order to work, Vista's content protection must be able to violate the laws of physics, something that's unlikely to happen no matter how much the content industry wishes it were possible. This conundrum is displayed over and over again in the Windows content-protection specs, with manufacturers being given no hard- and-fast guidelines but instead being instructed that they need to display as much dedication as possible to the party line. The documentation is peppered with sentences like: "It is recommended that a graphics manufacturer go beyond the strict letter of the specification and provide additional content-protection features, because this demonstrates their strong intent to protect premium content". This is an exceedingly strange way to write technical specifications, but is dictated by the fact that what the spec is trying to achieve is fundamentally impossible. Readers should keep this requirement to display appropriate levels of dedication in mind when reading the following analysis.

Vista's content protection mechanism only allows protected content to be sent over interfaces that also have content-protection facilities built in... Since S/PDIF doesn't provide any content protection, Vista requires that it be disabled when playing protected content. In other words if you've invested a pile of money into a high-end audio setup fed from a digital output, you won't be able to use it with protected content. Similarly, component (YPbPr) video will be disabled by Vista's content protection, so the same applies to a high-end video setup fed from component video.

Alongside the all-or-nothing approach of disabling output, Vista requires that any interface that provides high-quality output degrade the signal quality that passes through it. This is done through a "constrictor" that downgrades the signal to a much lower-quality one, then up-scales it again back to the original spec, but with a significant loss in quality... Amusingly, the Vista content protection docs say that it'll be left to graphics chip manufacturers to differentiate their product based on (deliberately degraded) video quality. This seems a bit like breaking the legs of Olympic athletes and then rating them based on how fast they can hobble on crutches.

Vista's content protection requires that devices (hardware and software drivers) set so-called "tilt bits" if they detect anything unusual. For example if there are unusual voltage fluctuations, maybe some jitter on bus signals, a slightly funny return code from a function call, a device register that doesn't contain quite the value that was expected, or anything similar, a tilt bit gets set. Such occurrences aren't too uncommon in a typical computer (for example starting up or plugging in a bus-powered device may cause a small glitch in power supply voltages, or drivers may not quite manage device state as precisely as they think). Previously this was no problem - the system was designed with a bit of resilience, and things will function as normal... With the introduction of tilt bits, all of this designed-in resilience is gone. Every little (normally unnoticeable) glitch is suddenly surfaced because it could be a sign of a hack attack. The effect that this will have on system reliability should require no further explanation. Content-protection "features" like tilt bits also have worrying denial-of- service (DoS) implications. It's probably a good thing that modern malware is created by programmers with the commercial interests of the phishing and spam industries in mind rather than just creating as much havoc as possible

Medical Imaging Specialist????

[perry (7046)]

Peter is a security guy. He's written widely used crypto software. He is not a medical imaging specialist. Where did /. get the idea that he's a medical imaging specialist???

Peter who?

[pedantic bore (740196)]

No matter how good a medical imaging specialist Peter Gutmann happens to be, I think I'm going to wait for some security experts to weigh in on Vista issues before I jump to any conclusions.

I'm new here but...

[monoqlith (610041)]

Could someone please like, read....something before they post a summary? I found no indication that Gutmann is a medical imaging specialist from his web page or report. He's a computer scientist who specializes in compression and encryption, which actually makes him a little bit qualified to perform a professional review of the new operating system.

The only thing remotely medicine related here is a quote from 'Brad Steffler MD.', a surgeon who claims that Microsoft's restrictive DRM methodologies make it more difficult for him to do his job.

Re:I'd prefer a less pre-loaded stance

[aralin (107264)]

You know this is a problem when dealing with Microsoft. You come into the process as objective person without prejudice to them and then you study the subject. If you study in a sufficient detail, you will become so enraged by what they are doing and that you are now hopelessly prejudiced against Microsoft. Look at the judge Jackson in the Microsoft trial. That is a person who's living depends on being objective and he got so pissed off by studying Microsoft practices that even he was not able to keep being perceived as impartial and so his ruling got thrown out by court of higher instance.

The most sad part is that Microsoft is abusing this by pointing to every such study as prejudiced and often rightly so. But what is the general public to do now? You either have experts that study the matter and become prejudiced or you have those with only superficial knowledge who can keep the illusion of objectivity but more often than not they do not know enough about the matter. Often to the point to believe studies paid by Microsoft as being a source of objective information. And if you want to keep the illusion of objectivity you need to cite those and it just seems wrong to me.

Sometimes you are just not supposed to be objective. Some topics do not invite that form of discussion. Is the Earth flat? I don't think anybody expects you to present the supporting opinion in equal length. Did holocaust happen? Again, not really a question in need of giving equal space to both sides. So why 'Is Microsoft crooked and do they intentionally cripple their product to harm consumer and competition?' needs any more discussion even after it was affirmed by Findings of Fact published by a federal judge? The matter of do they or don't they has long been settled. At this point the only question should be: "How exactly are they trying to cheat this time?"

Re:A biz idea for the new year

[by Anonymous Coward]

Here's an interesting tidbit from the WINE folks [winehq.org]:

Direct3D10, which will ship with Windows Vista in a few months, doesn't seem to be a large cause for concern. At first glance it appears to be more of an evolutionary change rather than revolutionary. New shader support will be needed, but extending ours once OpenGL supports it should be pretty easy. Stefan mentioned Microsoft is currently offering a lot of incentives for Windows developers who develop D3D10-only games since they'll only be usable on Vista - there's no plan to backport D3D10 to XP. Dan Kegel asked if that means we should port Wine's forthcoming D3D10 implementation to Windows, which would be relatively easy when we switch to WGL.

Re:Priorities

[kfg (145172)]

Without a doubt, Windows is still the most convenient platform for consumers. But the priority behind the design is not purely performance and flexibility, but protecting content and other commercial interests.

Houston; we have doublethink.

KFG

Re:Priorities

[diegocgteleline.es (653730)]

We sure know the priority isn't security either

In fact, if they only wasted the half of the time they wasted in DRM in security improvements...

I mean, if you read the DRM protection [microsoft.com] work...they completely redid everything that could break DRM, they break compatibility, they're even planning systems that need to re-do the hardware to require encryption on the *system*bus* just to keep hardware hackers from stealing contents at that place and hence making the DRM useless.....

If they had wasted all those efforts in improving security...vista would be the most secure consumer os available

Re:Priorities

[zCyl (14362)]

I mean, if you read the DRM protection work...they completely redid everything that could break DRM, they break compatibility, they're even planning systems that need to re-do the hardware to require encryption on the *system*bus* just to keep hardware hackers from stealing contents at that place and hence making the DRM useless.....

The message is clear. They believe their monopoly can be best maintained by catering to producers, rather than to consumers. Consumer choice is not driving that market.

Re:Priorities

[Dunbal (464142)]

Consumer choice is not driving that market.

      Consumer choice never drives the market in a monopoly situation. You get what I feel like producing, and you pay what I feel like charging. If you don't like it, tough.

Re:Priorities

[Deathlizard (115856)]

The message is clear. They believe their monopoly can be best maintained by catering to producers, rather than to consumers. Consumer choice is not driving that market.

And it's going to hurt them. probably long term and big time.

Zune is a failure vs Ipod because consumers don't want to deal with DRM everytime they want to listen to something, especially when there are hundreds if not thousands of music players that will play non DRM files. Including the Ipod.

Vista will fail for similar reasons. Business is happy with XP and will support it until Microsoft doesn't, and maybe adopt Linux after that. Consumers will only upgrade when they buy a new PC, and will stay around even after support is killed. if Apple starts opening their mouth about vista DRM screwing their music experience, they might just buy a Mac next time. Hell I don't know why Apple hasn't done a "Buy a Mac and get an Ipod Free" deal as of yet. It would definitely get a mac in the door faster.

It's looking the same way for office2007 business wise. I know we look at it and say to ourselves "training nightmare". I'm sure we're not the only ones saying that especially since our business is Higher education. I can only imagine what a commercial business is saying.

Apple and Microsoft had the power. They had the power to give both AA's the finger and work directly with the artists. They had the power to ignore them completely and let the users rip until the cows come home. They had the power to screw these Hi-def DVD formats until they relaxed the standards to work with existing hardware and software. Unfortunately, Apple seems to be giving the RIAA the finger while somewhat bowing down to the MPAA's HD lockdown Schemes, and MS is asking both AA's which lower cheek to kiss in a futile attempt to gain some more exclusive content that Apple's going to get anyway because their the market leader. Even then, all MS is really going to get in the end is more demands from the AA's when they could have easily just stayed the course they were going and force the AA's to conform to the digital age or die.

If there is any time for Apple and Linux to start pushing themselves, now's the time.

if its a good OS, todays ver is the final

[cheekyboy (598084)]

Look at linux... its not like we have Linux 3.0 and Linux 4.0 where nothing old works.

Its still linux. 8 year old stuff still compiles mostly, its fluid.

If windows was so great, it would stay at one version XP forever, with unlimited updates forever, SP4 SP21. etc...
Just because they are forced by marketing to make a new version is admiting its core is crap and needs a rewrite.

They could just as easily update/replace portions of XP gradually, six monthly. And make sure each other component isnt
too tied to others. ie WMP shouldnt need IE7 or something else... it should be detect and use if available.

This whole idea of , lets stop current dev and all new dev is placed into a new 'version' edition is total marketing crap, and
old school stuff of the 80s. Modern complex systems should never have a major rebuild, its always small step updates, like real
biological evolution.

OSX is basically the same, but again its articially versionized because of just new components added, and the silly side effects like
newly compiled made software not working on old OSX's even if they use no new features, thats my biggest pet pieve of OSX. Sometimes
its only the result of the installer package, not the code it self which would work fine. If X library is less than version Y, then dont use
those features.

Btw does apple make the old OS10.1 and 10.2 upgrades from 10.0 FREE NOW? what about any one left in 10.2 land, do they get a free 10.3 upgrade
once 10.4 is widely installed? Having too many versions installed out there should be a worry for them, they should allow all 10.3 machines to upgrade
for free. It would surely be cheaper to have no support for pre 10.3 if you provide free upgrades.