Schneier Analyzes Palladium

bcrowell writes "This month's CryptoGram from Bruce Schneier has an analysis of what little information people have been able to glean (without signing an NDA) about Microsoft's Palladium initiative." We might as well throw in a direct link to Schneier's look at the MPAA License to Hack bill as well.

VM Could break Pd perhaps?

[Dooferlad]

The latest Crypto-Gram has some things to day about Pd, or Palladium as the full name goes. It is interesting, but it doesn't say anything about somthing that sprang to my mind - the possibility of a virtual machine that runs as a Pd device, on top of a non-Pd device, completely breaking the security. This would be hard to do I expect, but not impossible. Those who have written VmWare and similar programs probably have it in them to reverse engineer the protocols used and re-produce them in software, for the sake of argument call it VmPd.

It goes like this:

VmPd runs on a PC, VmPd contains all keys required to access all areas of itself. VmPd is trusted, because it is a trusted PC (which is the point of this whole mess) to do what it is expected to do. For the sake of argument assume we have downloaded The Little Mermaid under license from Disney, and we are only allowed to play it once. We turn off VmPd, and all we have is an encrypted jumble on our hard disk where we set up the partition to host it. We also have the keys to read it though, and simply decrypt the move and show it to our hypothetical little children as many times as we like.

This works because, as I understand it, Pd only allows you to access material with certain rights, depending on what access partition it is under. If Disney set up an access partition for downloading movies, this will be done in a way that trusts your Pd machine.

Assuming that Disney only give you a key when you pay for one, that key will always work unless they can chance how the movie is encrypted. It is conceivable that they would have a player that on-the-fly re-encrypts the movie with a new public key as you view it, every time you view it, and they only give you the new private key when you pay for it. But the transmission of the key is encrypted, trusted because you have a Pd device, so you just intercept the key on its way into VmPd, don't play the movie, and decrypt it yourself and watch as many times as you like.

I am probably missing something, but it makes for interesting thinking.

With all this non-resalable equipment and media...

[tlambert]

With all this non-resalable equipment and media, has anyone done an environmental impact study in terms of waste disposal, when your computer and/or it's current OS load and the CDROMs it came on can no longer be donated to the local orphanage?

We're already having problems with monitors and computers (it costs to throw a monitor away where I live, unless you take it to the dumpster at 3AM), with most printed circuit board finding their way to heavily contaminating the countryside during cheap-labor disassembly after shipping to Asia.

-- Terry

Re:Well

[Fizzol]

Unfortunately by the time we get to see 'the real thing' it may already be mandated by law and be far too late to do anything about it. When dealing with something like this you really can't have too much lead time.

How to beat it

[ShieldW0lf]

My understanding of the way this system works is that the authour of a piece of media will be able to revoke ppls rights to use it remotely. What needs to happen is for someone to hack some major source of media, and wipe out everyones media. Once this happens, people will refuse to buy the hardware. If you could wipe out a few multinationals and a few important government departments, that would help bring us all together, "consumers" and government alike.

Relevant, thoughtful, and unpartisan

[l33t-gu3lph1t3]

Amazingly enough, this one is able to analyze most of the knowledgebase around "Palladium" and boil it down to the more interesting core issues. I would've appreciated a little more insight along the lines of what such a strategy as Palladium does to the role of the PC however. Generally speaking, PCs are multipurpose machines, which are *fully* programmable, and do pretty much whatever you tell them to. They manipulate data in any way *you* the *user* see fit. What Microsoft is attempting with "Palladium" is going to place restrictions about what a PC can do, and leave these restrictions up to the content producers. I won't comment on the stance of the content producer, but I will mention that this is a departure from what has been a central tenet of the computer: "it's yours". The trend seems to be shying away from "it's yours" to "you didn't buy it, you paid us to ALLOW you to use it - in a way we deem appropriate". Of course, "we" being the content producers. Microsoft really doesn't care what we dow with our music and movies - they just don't want the MPAA/RIAA/Legislators breathing down their neck.

Re:One IMPORTANT thing

[miffo.swe]

They will probably coerce it into AMD and Intels Cpus by either repression or by lobbying. Once its in the CPU its a easy task of just slipping it into the next version of Windows.

Their goal is probably to make it impossible to buy a new computer without the hardware part. Once that is in games and other apps are released to only work on a palladiumenabled computer. Note that this is a bit down the road and not all of it will happen at once. Its a sneak attack.

Hopefully either AMD or Intel will see that the one of them that not has the hardware thingie in their CPU will be selling a lot more CPU's than the other.

On that conclusion i presume they will lobby as hard as they can to make it mandatory to have TCPA built into new computers.

Are we gonna need Mod Chips for our PC's then?

[dBLiSS]

I can see it now, you will have to buy Mod chips for your PC on the grey market, to get around the hardware "security" just to install Linux..

Isnt he being a bit harsh here?

[Kenneth Stephen]

To quote : "3. Like everything else Microsoft produces, Pd will have security holes large enough to drive a truck through. Lots of them. And the ones that are in hardware will be much harder to fix. Be sure to separate the Microsoft PR hype about the promise of Pd from the actual reality of Pd 1.0."

Sure, Microsoft has to date produced lots of software with security holes "large enough to drive a truck through". However bear in mind that the holes have usually been a consequence of the overriding principle of wanting to keep things user-friendly at all costs. Their past history doesnt imply anything about how secure they can make their stuff. Certainly, Microsoft hires a lot of smart people and I'm sure that if they were given the mandate to design and implement a secure infrastructure, they could do it - something that Bruce seems to think is impossible.

Not the MPAA's bill.

[Anonymous Coward]

Quite frankly, I'm a little tired of the reactionary way in which any perceived infringement on electronic freedom is automatically associated with the MPAA. For the record, the RIAA works closely with Berman, and the bill is more or less theirs. Jack Valenti has publically distanced himself from the bill, and it's not something the MPAA had a hand in.

There's a lot of misdirected initiatives out there, but please credit the MPAA with knowing what's right and what's not.

In layman's terms: Stealing our member companies product: wrong. "Hacking" (I'd prefer "cracking," or simply "script-kiddying," as a DoS attack is not hacking in the traditional sense) a consumer's computer: wrong. Sending Cease and Desist letters and, when those fail, working with the ISPs not to terminate acounts (examples of the MPAA's letters can be found at chillingeffect.org and you'll note they do not include language asking for account termination), but rather to remove the infringing material, IMHO, right.

I'm an author and a filmmaker, I've worked with the MPAA, I've seen my work pirated, I've heard studio heads freak out about the fact that their product is available on the Internet three weeks before theatrical release. (Anyone who hangs out in IRC knows this to happen.) I see that the problem is real. I also see the MPAA being very defensive, but most certainly not offensive (think strategy, not personal opinion ;) in their fight to stem this tide.

So tell them!!!

[DoctorFrog]

Unfortunately the home user won't read the article. He will read advertisement ads that promise him a computer that will make "Windows XP even more secure".

The home user bought Office 2000 because of the helpful little paperclip. He will buy this.

Being defeatist about it doesn't do squat. I bring these kinds of articles to work. I leave them in the lunch room. I don't have to proselytise any more than that; everyone knows it's me leaving them, and they ask me. I tell them what's going on and what they can do about it, including the downsides ("You will have to learn more about your computer. You will have to do some research before you buy new hardware. You won't have as many commercial applications available, and that includes games.").

I keep a supply of Live-CD distros in my desk and I give them away. Microsoft has lost several Joe Sixpack level customers from this activity. I will help people do the switch, while making it clear to them that I'm not an expert or a professional, just a guy willing to help; I will always make a full backup if they have a burner (except for XP), and I will always recommend a dual-boot at least to start with, and I will always promise to do my best to restore their system (no guarantees) if they decide to go back to all-Windows. So far no one has taken me up on that last one.

What ever happened to...

[pmz]

Amendment IV.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

How is my hard drive and RAM different from my "papers" and "effects"?

Let's say I have 3,000 VHS videocassettes in an home owned by me. Those cassettes contain blatantly illegal copies of The Country Bears, which I intend to sell for profit but haven't, yet. The FBI cannot break into my home at any moment to see whether the videocassettes are there; they have to wait until I sell them carelessly leaving a trail right back to my home. Only then, with a warrant in hand, do they come and confiscate the cassettes probably arresting me, too.

Let's say I find a way to copy one of those videocassettes onto my Palladium-equipped PC but haven't distributed it, yet, even though I intend to. Will there be something about this act that triggers Microsoft's piracy alarms? Even though I haven't technically broken the law, yet, can Microsoft or their hit-men enter my computer without a warrant and delete that movie?

How is entering my computer through a network interface different than entering my home through the front door?

Re:Well

[xmedar]

Yes and no here's my take on it

I disagree with Schneier on several points -

Will Microsoft jigger Pd to prevent Linux from running? They don't dare.

and earlier he says -

Some say that Pd is, in fact, Microsoft's attempt to preempt the TCPA spec.) TCPA is the Trusted Computing Platform Alliance, an organization with just under 200 corporate members

So does he think for a moment that Linux is a "corporate member"? Linux is by it's definition a community, not a corporation and thus cannot "be a member" of the TCPA, of course corporations who sell Linux can be members, but as the corporations involved with Linux are a fraction of what Linux actually is, Linux as a community could be damaged severely if this comes to pass.

Additionally, a new chip is required: a tamper-resistant secure processor.

And who's going to upgrade all those old machines that don't have the chip? And what of all those old machines donated at the end of their corporate or home lives to schools and charities? How much of the data swirling around the data buses is encrypted? Do we need new memory / I/O buses that are deemed "secure"? Are there requirements for sheilding the buses from electromagnetic surveilence? Or are they mandated to be open to some mandated authority? So many questions, and NO answers, if they really have been working on Pd since 1997 and there are no answers to these fundemental questions then I call BS.

Pd provides protection against two broad classes of attacks. Automatic software attacks (viruses, Trojans, network-mounted exploits) are contained because an exploited flaw in one part of the system can't affect the rest of the system.

Or *nix as it's usually called. Given that MS software has been and continues to be highly insecure does anyone really think that they can pull this off? The paragraph continues -

And local software-based attacks (e.g., using debuggers to pry things open) are protected because of the separation between parts of the system.

So how much will I have to pay MS to run a debugger? And will there be any other debuggers allowed to run other than MS ones?

There are security features that tie programs and data to CPU and to user, and encrypt them for privacy.

Does that mean that every user (member of family, freind, co-worker, etc) that uses a machine will require a seperate licence to get a seperate key or is it all encrypted with the owners rather than users key? And how are data and keys moved from machine to machine? What happens if keys (like the Regiistry before hand) become corrupt?

Your computer will have several partitions, each of which will be able to read and write its own data.

And what if a partition becomes corrupted? Do we have some sort of digital reciept if we got something from the Net so that we can get back from the Net what was lost locally? If so who enforces the contractual obligations of the digital seller? What if the seller ceases trading?

There's nothing in Pd that prevents someone else (MPAA, Disney, Microsoft, your boss) from setting up a partition on your computer and putting stuff there that you can't get at.

So the MPAA could just DoS me by using up all my drive space so I don't have any room to put MP3s on my machine?

Microsoft has repeatedly said that they are not going to mandate DRM, or try to control DRM systems, but clearly Pd was designed with DRM in mind.

They also say that they arent an abusive monopoly or that they arent hiding anything by not decaring share optionson their balance sheet.

There seem to be good privacy controls, over and above what I would have expected.

So no dial in to MS then to give up your blood type and sexual preference then??

And Microsoft has claimed that they will make the core code public, so that it can be reviewed and evaluated.

When? 2010? 2050?

It's hard to sort out the antitrust implications of Pd.

Why would they care? Hasnt Bruce been following the current case? Doesnt he realise that MS 0wnz the DoJ?

Will it take standard Internet protocols and replace them with Microsoft-proprietary protocols? I don't think so.

The word Halloween comes to mind...

Will Microsoft enforce its Pd patents as strongly as it can? Almost certainly.

Except in countried where software patents arent recognised

Lots of information about Pd will emanate from Redmond over the next few years, some of it true and some of it not.

Whoa! Some of it "true"?

1. A "trusted" computer does not mean a computer that is trustworthy. The DoD's definition of a trusted system is one that can break your security policy; i.e., a system that you are forced to trust because you have no choice. Pd will have trusted features; the jury is still out as to whether or not they are trustworthy.

Didnt NT have a C5 rating? Hehe...

I doubt that you or I could, and still enjoy the richness of the Internet. Microsoft really doesn't care about what you think; they care about what the RIAA and the MPAA think. Microsoft can't afford to have the media companies not make their content available on Microsoft platforms, and they will do what they can to accommodate them.

Yeah I mean it's not like people are ripping CDs and DVDs all the time and making them available over the Net with downloads in the billions per month or anything.... DOH!

3. Like everything else Microsoft produces, Pd will have security holes large enough to drive a truck through. Lots of them. And the ones that are in hardware will be much harder to fix. Be sure to separate the Microsoft PR hype about the promise of Pd from the actual reality of Pd 1.0.

At last! Pd is right now a big PR exercise with a bit of crappy MS code behind it that probably has hundreds of obvious holes (buffer overflow anyone?)

4. Pay attention to the antitrust angle. I guarantee you that Microsoft believes Pd is a way to extend its market share, not to increase competition.

and -

There's also a lot I don't like, and am scared of. My fear is that Pd will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet. To the extent that Pd facilitates that reality, it's bad for society. I don't mind companies selling, renting, or licensing things to me, but the loss of the power, reach, and flexibility of the computer is too great a price to pay.

Pd is about the control of information, where/how you get it and how you use it, usually the perview of media companies, governments, religous leaders etc for most people on this planet, as opposed to some of us /.ers who rely on ourselves and open sources of information. Your wallet is only the tip of the iceburg, they want your mind, Pd is The Matrix with nightly reboots.