Microsoft Stalling TCG Best Practices Document?

It doesn't come easy writes "Bruce Schneier (of Counterpane Internet Security) suspects Microsoft doesn't want the recently Trusted Computing Group published best practices document: Design, Implementation, and Usage Principles for TPM-Based Platforms to apply to Vista. The reasons are mostly speculation at the moment but Bruce implies further investigation will be forthcoming..."

No lasting effect.

[Trusty Penfold]

So it doesn't apply to Vista and the end result is that Vista turns out to be an bug-ridden, insecure operating system. What's new?

This will yet more incentive to move to a system which has been properly designed, from scratch, to be safe.

As has happened before, the other members of the group will go ahead with their design based off of a draft of the document - generation 1 has a few interoperability issues because each member interpreted the draft differently but at least there will be something out there which everyone, except MS, is trying their best to follow.

TCG Bashing?

[weilawei]

I'm not sure of the writer's bias, but it would seem that TCG is fairly "opt-in." Somewhat unlike the current /. tidal wave seems to indicate. TFA mentions "Controllability: Each owner should have effective choice and control over the use and operation of the TCG-enabled capabilities that belong to them; their participation must be opt-in. Subsequently, any user should be able to reliably disable the TCG functionality in a way that does not violate the owner's policy." Who and what is the owner's policy? If the owner's policy says I can't run what I want without TCG, then that statement is effectively meaningless. I can have a hunk of hardware. If the "owner's policy" is something I make up, then it seems fine. TFA also states "The use of coercion to effectively force the use of the TPM capabilities is not an appropriate use of the TCG technology." This is exactly counter to /.speek. So what is it? Is this marketing spin? Is it real?

Just a guess

[Xerp]

Out of any software company, Microsoft has the worst security record in history. I wonder if this could have anything to do with it? Just a guess...

Re:The DRM factor.

[peragrin]

It already is being rejected. At as far as music is concerned. People have voted with their dollars (& pounds, euros, etc)

Apple's DRM is simple and consistant unlike MSFT's which change per song. Apple has sold over a half a billion dollars worth of songs. The rest combined barely equal a tenth of that.

If you have to have DRM it has to be consistant and easy to use, and actually have rights not just restrictions.

Re:Fishy? No, deceptive and devious!

[ciroknight]

Eh, it's all just signs of Microsoft cracking. Right now it's running around in so many directions, trying to do so many things that one side of Microsoft can't tell what the other's doing.

One section of Microsoft is trying to find a way to diversify into other fields (as it always has been). This means as soon as anything gets popular, instantly releasing that they will have a competitor to that product. See previous articles..

The next section of Microsoft is designing Vista. More or less, they're looking over at Apple and saying "hmm, now how do we do this for ourselves". Hey, if you're going to copy, make sure you copy from the best.

Next, Microsoft's patent team is doing everything they can to churn out as many patents for as many things as possible, no matter what relevance they have to anything. Patents are the new gold; having them makes you rich, no matter in what shape, color, or form.

Then you have the Microsoft gaming committee putting together the XBox 360.. Good luck with that xboxers.

And then you end up with the "future of technology" department; the one where they write all of these magnificent things, designing things like Palladium and giving them crazy names. The only problem is, while this section's doing the designing, all of the other sections of Microsoft are doing their own thing; it seems as if there isn't any communication in the entire process.

Microsoft is like a three hundred pound kid on a tricycle on a very big hill. They've got a lot of business henged on a small amount of products, and they've got to ensure that these products don't collaspe. And the best way of doing that is Advertising, the media, product placement, and the public (get the picture yet? good). The more of these documents coming out that don't mean anything at all, the more Microsoft looks like it's doing something.

Some notes

[Red Flayer]

A quick scan of the bullet points on the first page of the article may reveal why MS may not implement:

"Security: ...The reporting mechanism should be fully under the owner's control. "

"Privacy: ...designed and implemented with privacy in mind "

"Interoperability: ...should not introduce any new interoperability obstacles that are not for the purpose of security. "

"Controllability: Each owner should have effective choice and control... their participation must be opt-in. "

Why should MS rewrite all of their business practices based on what their competitors suggest?

I'm not saying that TGP is a bad idea... I'm saying that it is a bad idea for MS.

Aluminum Foil Beanie Mode

[sysadmn]

What if MS is stalling not because they don't want it to apply to Vista, but so that their competitors on the committee can't implement software only (TNC) solutions? HP, IBM, and Sun all have DoD certified (B2 compliant) versions of their proprietary operating systems. If MS confuses things so that TPC means (only) Intel's hardware and Microsoft's software, they've frozen out AIX, HP-UX, and Solaris until Vista catches up. (Yeah, I know there are B2 versions of NT - you just can't do much with it.).

Who is the "owner?"

[overshoot]

The TCG has resisted defining "owner" for purposes of their spec, despite several requests for clarification.

Think of it this way: most computer-related "stuff" now has a "licensed, not sold" tag attached. Ask yourself again, then, who has ultimate control unter TCG definitions.

Lawful intercept.

[Anonymous Coward]

"Most of the TCG spec is optional and can be turned off"

Oh please. Don't get fooled. This is just sucker bait, and you're swallowing it.

If it is optional now, it won't be in the future. The way things have always worked is that "lawful intercept" occurs in the next generation of the products.

It's been this way with just about EVERY new technology of interest that has come along. First with the phone system, then with the internet, routers/switches, and they are currently trying to do it with VOIP.

Computers are just the next thing on this list.

I give it in place by 2010, max.

Re:File Protection

[SilverspurG]

This brings to mind an ugly scenario

I'm on board with another ugly scenario presented here [slashdot.org].

Writers of malicious software are always several dozen steps ahead of the average consumer by nature. They will figure out how to circumvent the TC implementations and then use those very restrictions to prevent the users from diagnosing and removing them.

In a sick sort of way this may be economically profitable for companies who write security software. But the whole system is definitely not in the best interest of society.