Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Schneier Analyzes Palladium 270

bcrowell writes "This month's CryptoGram from Bruce Schneier has an analysis of what little information people have been able to glean (without signing an NDA) about Microsoft's Palladium initiative." We might as well throw in a direct link to Schneier's look at the MPAA License to Hack bill as well.
This discussion has been archived. No new comments can be posted.

Schneier Analyzes Palladium

Comments Filter:
  • Down in the news section, he has a link to an article which shows that profiling airline passengers is "provably less secure" than random searches at the gates.

    He has issues with arming airline pilots [counterpane.com] as well.


    The real dangers, though, involve the complex systems that must be put in place before the first gun can ride along in the cockpit. There are major areas of risk.

    • The real dangers, though, involve the complex systems that must be put in place before the first gun can ride along in the cockpit. There are major areas of risk.
      Yes, this was such a danger, that we all remember the stories about problems with armed pilots that happened before the FAA banned the practice in 1987 for political reasons.


      Actually, come to think of it, I cant' seem to recall a single one. Can you?


      Pilots carrying handguns on their planes used to be routine, and in fact, when carrying US mail, required [handguncontrolinc.org] by the federal government.
      When this person speaks of complex systems, he's obviously forgetting one over-riding principle: KISS. Keep it simple, stupid.
      When you give pilots guns, do what other federal agencies and the majority of police departments do- each pilot is responsible for their own firearm, and must have it in their possesion at all times. So yes, they carry it through the gates, and security checkpoints. They certainly don't hand them over at any time to the high school dropouts who clean the plane or run the security checkpoints. They would carry the gun on them, on their hips, or maybe some quick draw holster at their controls (only while their seated.) They should be required to take lessons in weapons retention, so that terrorists would have a harder time getting the weapons from them.
      Think about it carefully- when terrorists bust through the cockpit doors, they're going to be close, and their going to be nicely framed targets in a little doorway. Assuming the pilots are vaguely aware of whats happening in the cabin behind them, they're going to be prepared to annihlate one or multiple attackers.


      Stun guns and other non-lethal methods often don't work well for single attackers, and are useless for multiple attackers.


      Picture this scenario: Terrorists, armed with whatever, try to take over the plane. They are highly trained in improvised weapons and hand to hand combat and there are four of them (a la 9-11. Dealing with the single air marshall that mightbe there would be easy- have one guy start everything, and when the Air Marshall jumps up to take care of the first, the others get out of their seats and take care of him. Presumably, this would be alot of commotion, and the pilots would hear it from the flight attendants, through the doors, our through a cabin monitor of some sort.


      Now once they have the cabin under control, they go for the cockpit. They bust through the cockpit door (even if it is reinforced, it won't take long) Here's where the scenario splits.


      A. The first guy gets hit with a taser the pilots might have (or blocks it completely with a seat cushion shield.)The others then use whatever they have to kill or subdue the pilots, and take control of the plane. The air force sends up an F-15 and drops the airliner like a bad habit, Hopefully over a rural area. All onboard are lost, maybe some on the ground. National treasures are safe.
      B. The terrorists bust through the door. The pilots have the plane locked into autopilot so they can deal with the issue at hand. The shoot the first terrorist. The second. The third. Whats left of the fourth after the air marshall, whom the terrorists already killed, dealt with him. Maybe they're such poor shots they accidentally shoot one person on board, maybe two. The plane lands ASAP (this takes at least 15 minutes from cruising altitude.) Innocent Casualties: 1 or 2, tops. Terrorist casualties: 100% & mission failure. The air force saves a $70,000 Air to Air missle for a target drone.

      The crypto-gram article discounts the fears of airliner integrity, so I'll be brief. Suffice it to say, if this airplane [aloha.net] can land safely from 24 000 feet, a few bullet holes don't mean shit.
      Other concerns:
      We can't trust pilots with guns
      Most pilots are ex-military that carried guns all the time when flying for the Air Force. Besides, we trust them with a $40 Million dollar aircraft and 100-400 passangers; why not a gun?
      Someone innocent might die
      Better than losing the entire plane. Even if they try and fail, I sure as hell prefer a fighting chance with a solid advantage.
      The pilots should focus on landing the plane, or engaging in manuvers to through the terrorists off balance
      How can the pilots land the craft if they're dead? How can they land it if they're doing crazy manuvers? How can an air marshall do his/her job under crazy manuvers. Answer to all: They can't.

      Pilots should be armed, end of story. The prospects look reasonably good for this becoming a reality through legislation, though the feds are bound to fuck it up by making it too complex and cumbersome. I think the same legislation also limits liabilities to airlines in case of accidental shootings in a crisis situation.

      We've know they're out to kill us, and if they come here to do it, let's send them to Allah without us.

      • Picture this scenario: Terrorists, armed with whatever, try to take over the plane. They are highly trained in improvised weapons and hand to hand combat and there are four of them (a la 9-11.

        I don't see this scenario being possible after 9-11. Anybody trying to hijack a plane with non-projectile/non-explosive weapons will be DOGPILED by the other passengers, especially if it looks like they're trying to get into the cabin. Improvised weapons and/or intensive combat training will only help you hurt/kill other individuals, but it won't move 800 pounds of desperate human flesh pinning you to the ground, and if you really make them desperate, it won't stop them from eventually gouging your eyeballs out & choking you to death.

        In order to hijack a plane now a days, you need either a weapon dangerous enough to be likely to kill a significant number of the people on the plane in an instant, or you need enough hijackers (at least 30% of the passengers maybe?) to physically control all the rest of the passengers.

        • You're right, but it doesn't hurt to take reasonable precautions, and I happen to think arming pilots is reasonable.


          The next logical target would be cargo planes, as they have 2 or 3 people on board at the most. They're probably also alot harder to hijack, as access is severely limited, and you'd have to do it on the ground.


          I've heard rumors that there have been some people of the type that performed 9-11 probing and practicing on domestic flights, trying to provoke reactions from air marshalls, without doing anything that would get them arrested. But this is just hearsay, so I guess we'll have to see.


          actually, IMHO, even explosives and projectile weapons (short of large capacity automatic weapons) would be enough to keep the passangers in line, cause if they think they're gonna die anyway, what is there to lose?

    • he has a link to an article which shows that profiling airline passengers is "provably less secure" than random searches at the gates


      Not quite:


      the authors of this paper show that, given a reasonably diverse population of terrorists, this system is provably less secure than random searching.


      The terrorists we are currently dealing with are not from a diverse population. With very few exceptions, they are male Muslim extremists mostly between the ages of 17 and 40 [oraa.org]. The paper assumes that Osama and his buddies can recruit a 25 year old Saudi and a 75 year old grandmother from Nebraska with equal ease, which is certainly not the case. It's an interesting theoretical piece, but certainly doesn't "prove" that profiling is a bad idea.

      • The terrorists we are currently dealing with are not from a diverse population. With very few exceptions, they are male Muslim extremists mostly between the ages of 17 and 40.
        And how does that help? Muslims can belong to any ethnic group, and Al-Qaeda recruits all over the world. Consider "American Taliban" John Walker Lindh (a white boy from Marin County) or "shoe bomber" Richard Reid (a British subject with a Jamaican father). And even among folks from the Middle East, how many Anglo security guards could reliably distinguish a Saudi from a Hispanic?

        Even if the profile screens out nine out of ten terrorists, the tenth one knows he is unlikely to get caught, so he can smuggle the bombs on the plane while the other nine stay on the ground and forge checks or whatever. That's the central insight of the "Carnival Booth" paper.

  • by Delrin ( 98403 ) on Friday August 16, 2002 @07:38AM (#4081865) Journal


    "None of this is new or controversial, so why are copyright holders even talking about this? This bill would make it legal for the MPAA, the RIAA, and its ilk to break into computer systems they suspect (with no standard of evidence) are guilty of copyright infringement. It will allow them to perform denial-of-service attacks against peer-to-peer networks, release viruses that disable systems and software, and violate everyone's privacy. People they choose to target would be deemed guilty until proven otherwise. In short, this bill would set up the entertainment industry as a Gestapo-like enforcement agency with no oversight. "

    Isn't this just becoming the general trend in America? I wonder how many victims of the MPAA will be arabic looking?
  • by Dooferlad ( 101535 ) on Friday August 16, 2002 @07:41AM (#4081873) Homepage Journal
    The latest Crypto-Gram has some things to day about Pd, or Palladium as the full name goes. It is interesting, but it doesn't say anything about somthing that sprang to my mind - the possibility of a virtual machine that runs as a Pd device, on top of a non-Pd device, completely breaking the security. This would be hard to do I expect, but not impossible. Those who have written VmWare and similar programs probably have it in them to reverse engineer the protocols used and re-produce them in software, for the sake of argument call it VmPd.

    It goes like this:

    VmPd runs on a PC, VmPd contains all keys required to access all areas of itself. VmPd is trusted, because it is a trusted PC (which is the point of this whole mess) to do what it is expected to do. For the sake of argument assume we have downloaded The Little Mermaid under license from Disney, and we are only allowed to play it once. We turn off VmPd, and all we have is an encrypted jumble on our hard disk where we set up the partition to host it. We also have the keys to read it though, and simply decrypt the move and show it to our hypothetical little children as many times as we like.

    This works because, as I understand it, Pd only allows you to access material with certain rights, depending on what access partition it is under. If Disney set up an access partition for downloading movies, this will be done in a way that trusts your Pd machine.

    Assuming that Disney only give you a key when you pay for one, that key will always work unless they can chance how the movie is encrypted. It is conceivable that they would have a player that on-the-fly re-encrypts the movie with a new public key as you view it, every time you view it, and they only give you the new private key when you pay for it. But the transmission of the key is encrypted, trusted because you have a Pd device, so you just intercept the key on its way into VmPd, don't play the movie, and decrypt it yourself and watch as many times as you like.

    I am probably missing something, but it makes for interesting thinking.
    • That is interesting...

      Now I'm excited about Palladium. ;)

    • The problem is of course in constructing the Palladium emulator (VmPd). You'd have to break a real one open to get the encryption keys out, and even if you succeed, the key of the real Palladium is licensed to you (and can be traced back to you). You won't be able to put it on a website without violating some agreement you signed when it was licensed to you.

      So yes, it could work, but it's not going to be easy and it will be a significant threshold for anyone who wants to upload new materials to p2p. It'll be possible, but not casually so.

      • Yeah. The problem is that the keys you'ld have to get to build VMpd aren't the software keys, they're the hardware keys. The software keys are what you'ld need to break into a partition on an unmodded palladium box.

        This is essentially how an XBox works; having learned (now, finally) from the modchip fiasco, the plan for Palladium calls for embedding the key *inside* the CPU. It might be possible to steal this and then emulate pdCPU in software, but getting that key out will be tricky and no doubt illegal.

        (Which means VMWare will never run palladium apps, btw...)
      • If you are going to break the law, do it in style. Go steal a Palladium box. Crack the keys, publish them, and have an innocent family ruined by the law. This is about what this version of digital rights management is, its about raping and pillaging innocent people. What's a better point to make than to show what it really does to people?
    • by Kaa ( 21510 ) on Friday August 16, 2002 @10:19AM (#4082697) Homepage
      VmPd runs on a PC, VmPd contains all keys required to access all areas of itself. VmPd is trusted, because it is a trusted PC (which is the point of this whole mess) to do what it is expected to do.

      This might work if and only if you gain access to the private keys of the Pd hardware chip.

      If you have these keys, the security is broken completely and you can do whatever you want. Getting them is the hard part.

      Keep in mind that you, the owner of the machine, is NOT supposed to have access to these keys. In fact they are specifically protected against YOU.

      Pd is trusted in this context means that a Pd machine is trusted by Disney, etc. to display some copy-protected crap. You, the owner, is NOT the trusted party, you are the bad guy, the malicious bastard that your machine has to be protected from.
  • More info here (Score:5, Informative)

    by countach ( 534280 ) on Friday August 16, 2002 @07:43AM (#4081887)
    There is more info at the EFF here [eff.org]. And donate some money while you're at it. That's more likely to help than a slashdot whine.
  • by A_Non_Moose ( 413034 ) on Friday August 16, 2002 @07:46AM (#4081898) Homepage Journal
    Today's MacHall [machall.com]
  • My favorite quote (Score:5, Insightful)

    by stefanb ( 21140 ) on Friday August 16, 2002 @07:46AM (#4081901) Homepage
    They're trying to invent a new crime: interference with a business model.

    This sums it up pretty nicely, I think.

  • by tlambert ( 566799 ) on Friday August 16, 2002 @07:46AM (#4081902)
    With all this non-resalable equipment and media, has anyone done an environmental impact study in terms of waste disposal, when your computer and/or it's current OS load and the CDROMs it came on can no longer be donated to the local orphanage?

    We're already having problems with monitors and computers (it costs to throw a monitor away where I live, unless you take it to the dumpster at 3AM), with most printed circuit board finding their way to heavily contaminating the countryside during cheap-labor disassembly after shipping to Asia.

    -- Terry
    • by Waffle Iron ( 339739 ) on Friday August 16, 2002 @08:56AM (#4082216)
      The Palladium scenario would be a net benefit for the environment. Nobody would ever throw away any electronic equipment ever again, for fear of losing the magic keys that enable them to watch the content that they paid for.

      No circuit boards would be dumped in Asia. They would remain embedded in ever growing stacks of redundant consumer electronics devices in American living rooms.

      One side effect: sales of outlet strips, surge protectors, A/V cables and video selector switches will skyrocket. Buy Belkin stock today to get in on the ground floor.

  • by bunyip ( 17018 ) on Friday August 16, 2002 @07:48AM (#4081905)
    Viewed from the 10,000ft level, it sounds like a common Hollywood plot (Pd in parens):

    It's the year 2050 (2004) and the government (MS) is telling everybody how they will live (compute). Trust is guaranteed by the government (MS) and violators will be punished (digitally locked out). The people (programmers), though outwardly happy (productive), harbor deep lingering desires for freedom (open source).

    Then, along comes a rough-shaven, rogue hero (hacker), played by Stallone or Schwarzenegger (Torvalds). The aforementioned hero (hacker) then liberates the people (programmers) from the tyranny of the government (MS). The people (programmers) are overjoyed, their lives have returned to normal.

    So - if it ever played out like this, I'm sure someone in Hollywood already has the rights to the script. Will they own us?

    Alan.
    • by Anonymous Coward on Friday August 16, 2002 @07:55AM (#4081940)
      Wow, I have to admit, the parent post is insightful (stupid). The analogies are concise (tired) and accurate (cliched). It truly makes me proud (depressed) to read this masterpiece of slashdot (slahbot) eloquence (drivel).
  • by Camillo ( 123336 ) on Friday August 16, 2002 @07:50AM (#4081913)
    Bruce also refers to Ross Anderson's TCPA/Palladium FAQ [cam.ac.uk], which is well worth a read. Of particular /. interest is question 18, cryptically titled "Ugh. What else?":

    "TCPA will undermine the General Public License (GPL), under which many free and open source software products are distributed." "You will still be free to make modifications to the modified code, but you won't be able to get a certificate that gets you into the TCPA system."

    A lot of background information can also be found from Ross' page about Economics and Security [cam.ac.uk].

    You should ask yourself the question "if a computer can run code in a protected environment, whose code would you be willing to let into the computer?" Once it's there, it is protected - even from you.

    • Part of the answer for question 22 in Ross' FAQ [cam.ac.uk] is even more disturbing:

      "When I asked [the Microsoft Research speaker] whether this meant getting rid of linux he replied that linux users would have to be made to use content screening."

      Currently, there is a "digital divide" between those who have computers and Internet access and those who don't. Palladium raises the bar to divide those who have Palladium and those who don't. This scares the shit out of me (not literally, now, put probably so in a few years).

      If power over people is founded in controlling information, then....
    • Bruce Schneier lists Ross Anderson's so-called "TCPA/Palladium FAQ" among a whole lot of other links to related content. Having read the TCPA spec, the recently published book on TCPA, Seth Schoen's notes (referred to by Schneier), and as much else as I can find about TCPA and Palladium, I would say that if you want to stand on someone's shoulders to see further into this area, Schneier is a giant, but Anderson is at best a dwarf, and probably standing at the bottom of a deep hole. I was shocked that someone with Anderson's reputation could produce such a poorly researched piece of work.

      Read the TCPA spec for yourself, it's on the web for all to see, as Schneier points out. Do your own thinking. A lot of what has been written about it is just plain wrong. There are risks and a dark side to that sort of technology, but also a lot of good things that could be done with it. The open source community could exploit TCPA to their advantage if there are people with the insight and imagination to see the opportunities.

    • I had written my thoughts on what might be acceptable DRM in my slashdot journal [slashdot.org] a while back. It doesn't provide for all the fair use rights we have traditionally come to enjoy, but I think it is impossible to come much closer and have any form of DRM at all (that is, it is the least-oppressive form of DRM I can envision).

      Why does this matter?

      Because there are very legitimate reasons for providing others access to content, software, etc. without having to tie them via a remote access protocol to secured hardware (servers). Imagine any type of distributed, cooperative P2P network where the clients could not be easily hacked to abuse the network. Control over unauthorized redistribution of copyright material is but one such application of DRM.

      Of course, the ??AAs don't want simple redistribution control: they want complete access control as well, turning the world into a pay-per-view-of-our-content nightmare. Deployment of oppressive DRM could certainly bring this about.

      I keep thinking how Microsoft had to bend to an open Internet, not under their control, except for the few protocols they tried to keep closed -- the net was fundementally designed to be as decentralized as possible. If a non-oppressive means is not found to safely store foriegn content on one's computer with regard to unauthorized redustribution to others, but that respects, as much as possible, the computer-owner's traditional fair use rights and technical freedoms, we will have a far more oppressive one shoved down our throats.

      There are problems with my attempt at "less-oppressive" (non-oppressive would not be completely correct) DRM attempt: it's deployment and required PKI trust infrastructure would involve a huge capital cost. More oppressive DRM schemes would be, sadly, cheaper to deploy. The only way that the infrastructure costs could be mitigated would be if a PKI web of trust could be built on traditional trust models rather than few certificate authorities, and grow the way roads spring up between communities desiring to engage in communication and trade.

  • by miffo.swe ( 547642 ) <daniel.hedblom@gm a i l .com> on Friday August 16, 2002 @07:51AM (#4081920) Homepage Journal
    Bruce Writes:

    "It's hard to sort out the antitrust implications of Pd. Lots of people have written about it. Will Microsoft jigger Pd to prevent Linux from running? They don't dare."

    I dont have the same impression of Microsoft that Bruce seems to have. If i go trough what they have done in the past there is nothing they wouldnt do to get more control. They will almost certainly have a licence tailored to make it hard for Open Source/Linux to implement it without breaking GPL.

    Considering that GPL is a bigger threat to them than linux itself i assume they will take a shot at it. GPL is the one thing stopping them from stomping all over Open Source wreaking hawoc like in Simpson. They much prefer the BSD licence where they can "borrow" code since the despite their extremely big cashpile cant get people who knows how to code.
  • by Wingchild ( 212447 ) <brian.kern@gmail.com> on Friday August 16, 2002 @07:54AM (#4081932)
    After reading the article, I can't imagine that a home user would ever make a point of purchasing a system on the order described. Hardware-level tampering resistance is a good thing for Department of Defense computers, say, but does the average home user, surfing the web and storing recipes, really have to worry about someone leeching that information from residual information that could (maybe) be gleaned from the CPU itself?

    Dear lord! Perish the thought.

    I can't even imagine most companies having to deploy something on this order to safeguard their data. Hell, I'm not even sure the military needs it.

    For reference, the Department of Defense has a series of guides and guidelines for locking systems down to ensure security. These are called STIGs and are created by DISA (Defense Internal Security Agency) and the NSA (National Security Agency). When the guides are applied the machines are as secure as can be made.

    Part of the guidelines cover physical security; i.e., if someone can reach your hardware physically without being cleared for it, you fail that part of the check. As such, I can't imagine how Palladium would not be redundant to things we already have in place.

    For good security, you can use smartcards with a PKI certificate, anyway. Don't let someone sign on without one, don't let them access data without one, have an active and interested central monitoring and issuing authority and practice good physical security. Save the money you'd spend on Palladium equipment.
    • I can't imagine that a home user would ever make a point of purchasing a system on the order described. Hardware-level tampering resistance is a good thing for Department of Defense computers, say, but does the average home user, surfing the web and storing recipes, really have to worry about someone leeching that information from residual information that could (maybe) be gleaned from the CPU itself?

      I think that the point is that the consumer does not have a choice. They buy the latest and greatest that Dell sells them, and don't really pay attention to the OS, or anything else associated with the machine. People will be adopting something that they don't understand. Not a whole lot different from what goes on today.

    • After reading the article, I can't imagine that a home user would ever make a point of purchasing a system on the order described. Hardware-level tampering resistance is a good thing for Department of Defense computers, say, but does the average home user, surfing the web and storing recipes, really have to worry about someone leeching that information from residual information that could (maybe) be gleaned from the CPU itself?
      The "average user" won't get a choice. The number of organizations capable of designing and manufacturing general computing chipsets has been falling since the 1980s; I believe that in order to produce an Intel-compatible motherboard today you would be forced to buy chips from one of three vendors. Once those three are on-board (ha ha), all chipsets and hence all Intel systems will become Palladium compliant.

      A few techno-geeks might be capable to putting together Linux systems from the parts bin, but they likely then wouldn't be able to run any commercial software.

      sPh

    • After reading the article, I can't imagine that a home user would ever make a point of purchasing a system on the order described. Hardware-level tampering resistance is a good thing for Department of Defense computers, say, but does the average home user, surfing the web and storing recipes, really have to worry about someone leeching that information from residual information that could (maybe) be gleaned from the CPU itself?

      You're right -- for the average home user, a non-palladium system will be more useful than a palladiun system, all (technical) things being equal. But there will be marketing, social and political issues that will sway the average user --

      • Palladium will (and already is) being marketed as a way for the average user to secure his or her own information, even if this claim is somewhat dubious. (It has been billed as a way to prevent viruses from running, because they wouldn't be signed and would not be trusted by default, for instance.) Remember that no matter what their marketing people say, Microsoft doesn't care one whit about the integrity of your data, unless they can find a way to make money from it.
      • Major content distributors have, for the most part, been hesitant to distribute digital content without the ability to control it as much as possible. Once Palladium-enabled PC's ship, don't be suprised when all new CD's, DVD's, or whatever is carrying content at that time won't work on old PC's (or, old stand-alone players for that matter). This will be an incentive for the average user, who can't live without their media, to upgrade their hardware and software to Palladium-enhanced versions.
      • As we have seen in the past, content distributors will buy legislation, in as many countries as possible, that will make it illegal to circumvent the "protections" in a DRM scheme, and Microsoft will be happy to offer Palladium as a way to comply with that law. (As above, this will be billed as a way to protect consumers, when in reality it is a way to protect content distributors at the expense of the average citizen.) By licensing the technology to all "established" Commercial OS (and standalone media player!!) vendors, they can dodge the Monopoly accusations while getting to Microsoft's Holy Grail -- getting money for every PC (and CD/DVD/whatever player!!!) that ships, whether or not they actually own the OS that ships on it. It has the added benefit of mandating that people upgrade their hardware in order to comply with the law!
    • After reading the article, I can't imagine that a home user would ever make a point of purchasing a system on the order described.

      Unfortunately the home user won't read the article. He will read advertisement ads that promise him a computer that will make "Windows XP even more secure".

      The home user bought Office 2000 because of the helpful little paperclip. He will buy this.

      • So tell them!!! (Score:5, Interesting)

        by DoctorFrog ( 556179 ) on Friday August 16, 2002 @09:29AM (#4082393)
        Unfortunately the home user won't read the article. He will read advertisement ads that promise him a computer that will make "Windows XP even more secure".

        The home user bought Office 2000 because of the helpful little paperclip. He will buy this.

        Being defeatist about it doesn't do squat. I bring these kinds of articles to work. I leave them in the lunch room. I don't have to proselytise any more than that; everyone knows it's me leaving them, and they ask me. I tell them what's going on and what they can do about it, including the downsides ("You will have to learn more about your computer. You will have to do some research before you buy new hardware. You won't have as many commercial applications available, and that includes games.").

        I keep a supply of Live-CD distros in my desk and I give them away. Microsoft has lost several Joe Sixpack level customers from this activity. I will help people do the switch, while making it clear to them that I'm not an expert or a professional, just a guy willing to help; I will always make a full backup if they have a burner (except for XP), and I will always recommend a dual-boot at least to start with, and I will always promise to do my best to restore their system (no guarantees) if they decide to go back to all-Windows. So far no one has taken me up on that last one.

      • by rseuhs ( 322520 ) on Friday August 16, 2002 @10:03AM (#4082595)
        Unfortunately the home user won't read the article. He will read advertisement ads that promise him a computer that will make "Windows XP even more secure".

        The home user bought Office 2000 because of the helpful little paperclip. He will buy this.

        Wrong, the home user did not buy Office 2000. If they have it at all, they pirated it.

        And that's Palladium's problem. Currently, the home user is used to pirate software/music/movies and if anything tries to stop him doing it, he will refuse to use it.

        There will be a market for non-Palladium systems (to be more specific, there will be no market for Palladium systems) so companies will produce for that market. If AMD and Intel are relly so stupid to refuse to make any non-Palladium chips anymore, be ready for VIA and Transmeta chips that will be bought if there is no other chance to watch "insecure" content on the PC.

        Come on, this has been tried before (DivX-hardware player) it just does not work.

        • Come on, this has been tried before (DivX-hardware player) it just does not work.
          Also, remember Digital Audio Tape? At the time it was introduced, it was technically superior to regular audiotapes (higher sound quality) and CDs (since it could be copied, and CD-Rs weren't on the market yet). The RIAA howled about how this was going to destroy their business, etc., etc. A law was passed. DAT recorders were rigged so they couldn't make second-generation copies.

          Result: Nobody bought DAT recorders.

    • After reading the article, I can't imagine that a home user would ever make a point of purchasing a system on the order described.
      ...
      Save the money you'd spend on Palladium equipment.
      People don't but Wintel stuff based on whether or not they like its features. They buy purely based upon network effects. Or rather, there's one feature that is more important than all others combined: compatability. If this weren't the case, Microsoft and Intel would have gone out of business many years ago.

      I've seen a single spreadsheet being mailed to someone, result in them spending two or three thousand dollars on a new computer that didn't offer anything else the user wanted, except for the ability to read that spreadsheet. In a market like that, a leader can get away with poisoning their products in just about any way. Joe Sixpack will buy Pd if that's what it takes to be able to watch the trailer for "LotR 4: Sauron's Revenge" or take his work home with him.

      The only thing that can stop this is for people to become more conscientious, and I just can't see that happening.

  • Can someone please explain why the desired level of security can't be obtained by only software? What exactly are the situations which require a security chip as opposed to software? I'm not speaking of physically breaking into the computer, but someone at the keyboard or over a network.
    • Because you control the software. The object of
      the exercise is to protect the copyright holder
      of the file you put on your computer from
      you.
    • by Ngwenya ( 147097 ) on Friday August 16, 2002 @09:46AM (#4082512)
      Can someone please explain why the desired level of security can't be obtained by only software?

      Because the control mechanism in any von Neumann machine is in the same band as the stuff being controlled (ie, the OS - which enforces the security policy - operates in the same space - the CPU's available memory - as the programs which may, or may not, behave themselves).

      Ultimately, the only way to have a secure audit trail for how a computer got to its current state is to have the verifier out of band from the verified. This is why you need the trusted component (the tamper proof verifier which can sign the logs of the host system). Assuming no-one can get to the trusted component private keys (even, or especially, the computer owner), another computer can trust the signature to be an accurate representation of the state of the original machine.

      By the way, it's this in-band control mechanism which means that the Internet Protocols have an incredibly hard time defending themselves against DoS attacks - because the ICMP packets travel along the same route as the TCP/UDP packets. If you can interfere with the data stream, you can interfere with the control stream as well. The phone companies found this out ages ago, which is why whistling at 2600Hz doesn't work any more.

      --Ng
  • by Greyfox ( 87712 ) on Friday August 16, 2002 @07:59AM (#4081952) Homepage Journal
    Bruce Says: My fear is that Pd will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet.

    We're already well down that road. It is very easy to see a day when the general computing device we all know and love will be illegal because it makes it way too easy to copy digital data. Nevermind that what made the general computing device popular is that it manipulates digital data so easily.

    We all know what the industry wants. THe industry wants a pay per view world where every consumer pays every time he views industry owned content and the industry is protected from competition because they control the technology that allows content to be created. It isn't about fairness. It isn't about content authors getting paid. It's about greed, plain and simple.

    • I thought I closed that i tag there. That's what I get for posting to slashdot before I've had my coffee. Bruce said the stuff in the first paragraph there. The second two are my comments.
  • by jukal ( 523582 ) on Friday August 16, 2002 @08:00AM (#4081958) Journal
    Palladium, Pd46, Heat of vaporization 357.0 kJ/mol. I quess kJ/mol means, KiloJournalists / Microsoft's Obfuscated Literature?

    • Palladium, Pd46, Heat of vaporization 357.0 kJ/mol. I quess kJ/mol means, KiloJournalists / Microsoft's Obfuscated Literature?



      That's it! Bill Gates is on a quest to make 1 mole of dollars! Let's see, $6.02x10^23... he's almost there!

  • I'm sure others will mention this, but I thought this quote was worth highlighting.

    Microsoft really doesn't care about what you think; they care about what the RIAA and the MPAA think.

    Anyhoo, I thought this was a good, well ballanced article. He's much more realistic than most about what may happen, both on the paranoid and the hopeful angles.
    • Re:Good insight (Score:3, Insightful)

      by seosamh ( 158550 )
      I was going to quote the same passage, along with

      Microsoft can't afford to have the media companies not make their content available on Microsoft platforms, and they will do what they can to accommodate them.


      Whether MS actually needs the content companies at this point is debatable. If it came to that, Gates could buy a couple ;> in a pinch.

      But if MS wants content available on their platform, why not open that platform up to let the consumers of content make sure they can access their favorites on Windows? There are a lot of people who use MS products by choice (not me, but there are such people) who would build their own open source solutions if MS would give them the slightest encouragement.

      Or maybe not. What the hell do I know?
    • beleg777 wrote:

      > I'm sure others will mention this, but I thought
      > this quote was worth highlighting.
      >
      >> Microsoft really doesn't care about what you
      >> think; they care about what the RIAA and the MPAA
      >> think.

      Even more, Microsoft doesn't care what its *customers* think. And that is going to get it into serious trouble one fine day.

      I don't care how unsophisticated a computer user is, most people would notice not being allowed to do a favorite activity when their old PC let them do it. If you think the copy-protected CD returns are something, wait till you see droves of people trying to return their Palladium PCs because:

      1) It has a virus. It's not supposed to get them.
      2) It ate my mp3 collection.
      3) It won't play my CDs. There is nothing wrong with them, my old PC played them just fine.
      4) It charges my credit card every time I play some music.
      5) It won't run this program I downloaded. In fact it tried to call the police, but I unplugged the phone line. Nope, it wasn't warez, it was this cool free (GPL'd) program named FileZilla. The computer was calling me a commie.
      6) It won't run my old programs.

      If the RIAA and MPAA are all Microsoft cares about, then they can just go swim with those sharks. And they can share their fate: shark steaks:

      Eisner and Disney (what he gets for saying mean things about Mothra's dear Apple):
      http://www.businessweek.com/bwdaily/dnfla sh/aug200 2/nf20020816_4160.htm

      AOL Time/Warner:
      http://www.cableworld.com/archive/ca bleworld/2002/ 08/05/cwd02080506.shtml

      Vivendi:
      http://news.bbc.co.uk/1/hi/business/20 82412.stm

      Mmm, yummy. Somebody pass the butter sauce.

      Bells are ringing: Mothra, Mothra! Every heart is calling: Mothra, Mothra!
      Come on, Tok Wira, these sharks have gotta pay! New Kirk calling Mothra, we need you today!
  • On the same topic... (Score:3, Informative)

    by jnd3 ( 116181 ) on Friday August 16, 2002 @08:07AM (#4081978) Homepage
    Bob Cringely wrote a column [pbs.org] on the same topic about a month ago. He called Palladium a Rosetta Stone for malicious hackers. Sounds like a blast.

    That's just what I want, another Microsoft initiative aimed at security. They've done such a good job at it so far that now I'm a whisper away from getting my account canceled by my ISP -- all because some Outlook/Outlook Express user somewhere has Klez and our e-mail address.
    • Nice column. Unfortunately, it proves nothing more than that Cringley and his hax0r friends shouldn't be talking about crypto, since they apparently don't understand some pretty fundamental points and cryptographic techniques.

      If I understand correctly what my friend has written above, the Palladium architecture presents a wily hacker with what is essentially a Rosetta Stone -- two versions of the same data (one encrypted, one not) from which one can quickly divine the key needed to transform one to the other.

      Gee, if you have both the crypttext and the plaintext of something that's encrypted, it's easy to extract the key! Um, well, maybe if you're using XOR or something, apparently Cringely has never bothered to actually look at strong cryptography (why doesn't this surprise me). For those who don't know (but at least have the sense to not rant about what they don't understand), part of the definition of strong crypto is that it is computationally infeasable to determine the encryption key given both plain-text and crypt-text. Extracting a key given a crypttext-plaintext pair is certainly not simple or 'quick'.

      Honestly, I wonder why people listen to Cringley at all - he has a chronic inability to get his facts straight. If you're going to bash something you should at least bother to understand what you're talking about.

  • by ejaw5 ( 570071 ) on Friday August 16, 2002 @08:09AM (#4081983)
    as all chemistry students will learn:

    Palladium (Pd) + MP[3/G/EG] (MP*) => Fire.
  • How to beat it (Score:2, Interesting)

    by ShieldW0lf ( 601553 )
    My understanding of the way this system works is that the authour of a piece of media will be able to revoke ppls rights to use it remotely. What needs to happen is for someone to hack some major source of media, and wipe out everyones media. Once this happens, people will refuse to buy the hardware. If you could wipe out a few multinationals and a few important government departments, that would help bring us all together, "consumers" and government alike.
    • I had a simila plan to kill off the BSA,
      Construct a worm/virus with a load of keygens that goes around changing all the software licences it finds, the BSA wouldn't be able to work out what was licensed and what wasn't.

      You could do the same for media, change all the keys, once you've done that everything would be buggered.
  • by gillbates ( 106458 ) on Friday August 16, 2002 @08:13AM (#4081993) Homepage Journal
    My fear is that Pd will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet.

    Strange thing is, what most people don't realize is that they don't own the software that runs on their computer. Microsoft does (or at least the EULA claims they do). Our computers are not our own, and have not been our own, for a long time now. The sad fact is that while we may physically own the hardware, a part essential for the hardware functioning - namely, the OS - is owned by Microsoft.

    Now, you could counter by saying that people could run Linux, however, this isn't really an option for the average computer owner. Most computers built today have hardware that isn't fully compatible with Linux (Winmodems, etc...). So, the while the user has physical possession of his computer, all of his data is effectively owned by Microsoft, because without Microsoft's blessing, the average PC is useless.

    So the next time you hear of someone wanting to buy a new PC, you might want to remind them that unless they are willing to install Linux, they aren't really buying anything. It's more like a lease from Microsoft.

    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • Yes, its an old, worn issue... And many people still don't know about it. Or play down its importance. Or ignore it entirely.

        Also, note that you used to be buying a copy of the Little Mermaid (to use your example), but some of your property rights were restricted for the good of society and the intellectual commons. Unfortunately, recent copyright law revisions have travelled far along the road to turning copyright into ownership, so this is no longer true.

        Yes, its an old issue... And we should keep reminding people of it. Because ignoring it won't make it go away.

        • It looks like a duck, it quacks like a duck... it must be a duck.

          Purchasing software or movies... It looks like a sale, it acts like a sale... it must be a sale.

          You are still limited by what copyright law allows. But copyright law allows an awful lot.

          Yes, to run a program that you purchase on CD, you copy from the CD to the CD-ROM cache, to the computer RAM, to the computer HD, then run it and copy to the computer HD cache, to the computer RAM, to the CPU L2 cache, to the CPU L1 cache, to the CPU registers.

          Guess what... to watch a VCR tape, your VCR does much the same thing. It reads an analog signal off a tape, transmits it through several filters to a wire connecting it to your tv, into the tv and through several filters, to an electron beam gun. Lots of copies for that, and 20 years history that this is all completely legal, no license required.

          All the copying required to run a computer program is covered under copyright law and fair use. Copyright law basically says you can do one of two things... you can copy something, or you can distribute it. But you can't do both. I can make as many copies as needed or desired of something in order to use it, and so long as I don't distribute any of those copies to other people, I'm within the law.

          (Yes, exact legal opinions don't precisely say that... but they are close enough to work that way in practice. That's why the media companies are trying to buy new laws to prevent this.)

          Licenses are not required to legally run software you *buy*. Ditto for movies you buy. You are still limited by copyright law, but in no way do you need a license in order to legally use this product you bought.
      • If you buy a DVD of "The Little Mermaid" do you actually own the little mermaid? Can you resell copies of it? Resell distribution rights?

        What do you get for your $20?

        You get the right to watch a copy of that movie, in a certain way, on certain devices. You don't own "The Little Mermaid", but rather a mere copy.

        You've missed a very important point, if you purchase a DVD you've also purchased the rights of fair use of that copy. These are the same rights you get when you buy a book. Fair use includes:

        • The right to protect your purchase by making a functional backup copy.
        • The right to lend the media to another party without compensation so that they may view the contents.
        • The limited right to exhibit the contents without compensation. (You can invite friends over to view the contents.)
        • The right to space shift. (i.e. the right to use the media in any device anywhere.)
        • The right to time shift. (i.e. the right to use the media at any time.)
        • The right of resale.
        • The right to destroy the content.
        • Upon expiration of the copyright, the right to do anything you want to it, including selling copies.
        The content providers (read MPAA, RIAA and other abusive corporate monopolies) have attempted to use technology, the courts, and the congress to limit these rights. The above rights are limited by:
        • Technological and legal impediments to fair use. (Copy protection, DMCA, etc.)
        • Making media that are specific to a single device or class of devices. (Region coding, DRM, Pd)
        • Making media that are time limited. (DivX, Pd, DRM)
        • Pressuring legislators to extend copyrights far beyond the limited times intended in the constitution.
        The idea that copyrighted works are "licensed" is a relatively new invention. The "content providers" have been fairly sucessful in convincing the world that this is true. They've also been sucessful in convincing the congress and the courts that the constitutional reason for copyright is guaranteed profit, rather than advancement of the arts and sciences.
      • If you buy a DVD of "The Little Mermaid" do you actually own the little mermaid? Can you resell copies of it? Resell distribution rights?

        No, but I can sell my actual copy of the movie. Microsoft tries to claim I can't even sell the original of my software, even if I never use it again myself.
    • Please stop the FUD. The majority of computers is very well compatible with Linux.
  • Amazingly enough, this one is able to analyze most of the knowledgebase around "Palladium" and boil it down to the more interesting core issues. I would've appreciated a little more insight along the lines of what such a strategy as Palladium does to the role of the PC however. Generally speaking, PCs are multipurpose machines, which are *fully* programmable, and do pretty much whatever you tell them to. They manipulate data in any way *you* the *user* see fit. What Microsoft is attempting with "Palladium" is going to place restrictions about what a PC can do, and leave these restrictions up to the content producers. I won't comment on the stance of the content producer, but I will mention that this is a departure from what has been a central tenet of the computer: "it's yours". The trend seems to be shying away from "it's yours" to "you didn't buy it, you paid us to ALLOW you to use it - in a way we deem appropriate". Of course, "we" being the content producers. Microsoft really doesn't care what we dow with our music and movies - they just don't want the MPAA/RIAA/Legislators breathing down their neck.
  • by jvmatthe ( 116058 ) on Friday August 16, 2002 @08:25AM (#4082042) Homepage
    Microsoft really doesn't care about what you think; they care about what the RIAA and the MPAA think. Microsoft can't afford to have the media companies not make their content available on Microsoft platforms, and they will do what they can to accommodate them.

    This brought two ideas to mind...
    • Microsoft often positions themselves as a company that empowers the individual user with new software. Will this pitch ring as true when they have clearly stacked the deck to pay homage to the mighty media companies at the expense of the usual freedom that users are fast becoming used to? Or will they find a way to make less freedom seem like more, so that the individual users don't notice?
    • My usual impression of Microsoft is that they will work around obstacles to maximizing profit. That's what C# (vs. Java) and IE (vs. Netscape) are all about. So, perhaps they'd eventually find it in their best interest to become a real media company themselves and work to lay the new foundation for replacements (or a replacement) for the MPAA and RIAA. Why not the Global Media Producers Association which encompasses all media and has a leaning towards digital distributions, effectively making the MPAA and RIAA obsolete? With such a leadership role (staying at arm's length to stave off anti-trust litigation), they could easily position themselves as the premeire distribution point for such media, without necessarily locking out other platforms (like Apple's MacOS).
    • Wouldn't it be cool, in a way, to see Microsoft pay lip service to the RIAA and MPAA while cleverly stabbing them in the back? Microsoft is, after all, one of the most vicious hard-ball companies around, or at least has given many that impression. I say that not necessarily in a negative light, in case it comes across that way. It's kind of like enjoying watching a good bad guy in a movie. :^)

    Ok, time for work...
    • Microsoft is, after all, one of the most vicious hard-ball companies around, or at least has given many that impression.

      I think Microsoft's history of raping its business partners for fun and profit is well known. I seriously doubt that Entertainment, Inc. is willing to have any dependency on MS at all, in fact they'd like to force MS to license their systems, software and patents.

      Didn't MS even proffer a digital music system to the RIAA a while back (2-3 years ago) that RIAA blew off?

      I think "wishing" MS would screw Entertainment, Inc is a little like wishing Stalin would defeat Hitler; it gets rid of one bad guy but it only allows another to roll ahead freely.
  • No one will ever even imagine a beowulf cluster of these Palladium PCs!! Damn!
  • I can see it now, you will have to buy Mod chips for your PC on the grey market, to get around the hardware "security" just to install Linux..
    • I can see it now, you will have to buy Mod chips for your PC on the grey market, to get around the hardware "security" just to install Linux..

      Yes, maybe so! Obviously the first version of Palladium will be the friendliest, in order to calm critics and get user acceptance. At some point in the future you won't be able to install Linux, but before that a lot of other stuff will be gone, too. The PC will be a completely different thing, the stuff you can do with it will be outweighed by the stuff you are not allowed to do with it, by then. It will be a slow process of course, to keep the users in a spiral that is slowly spinning down (you don't want to wake them up doing harsh movements).

      The main problem is, that the computer as we know it today is inherently the most dynamic tool mankind has ever built. It is based on the concept of copying and modifying data freely. Most of the computer's convenience and usefulness comes from this property. Now Palladium/DRM takes this away to the maximum extent possible without turning the whole PC into a vegetable.

      This technology WILL come, and it WILL take away our most beloved toy to replace it with some ghastly Juggernaut that watches our every move. Our own PC will be treating us as the enemy!
  • by Kenneth Stephen ( 1950 ) on Friday August 16, 2002 @08:34AM (#4082090) Journal

    To quote : "3. Like everything else Microsoft produces, Pd will have security holes large enough to drive a truck through. Lots of them. And the ones that are in hardware will be much harder to fix. Be sure to separate the Microsoft PR hype about the promise of Pd from the actual reality of Pd 1.0."

    Sure, Microsoft has to date produced lots of software with security holes "large enough to drive a truck through". However bear in mind that the holes have usually been a consequence of the overriding principle of wanting to keep things user-friendly at all costs. Their past history doesnt imply anything about how secure they can make their stuff. Certainly, Microsoft hires a lot of smart people and I'm sure that if they were given the mandate to design and implement a secure infrastructure, they could do it - something that Bruce seems to think is impossible.

    • Certainly, Microsoft hires a lot of smart people and I'm sure that if they were given the mandate to design and implement a secure infrastructure, they could do it - something that Bruce seems to think is impossible.
      Design, yes. Implement? Well, given the SSL certificate mishandling in IE that's been reported recently (and commented on in this same edition of Mr Schneier's Cryptogram), quality control still seems to be a little, um, lacking. It's a little difficult to change the whole culture of an organisation from getting the latest! greatest! new-featured! products out of the door to hit the marketing window, to one where you're concentrating on getting the thing done right, even if you need to take more time and money over it. Yes, MS will gradually improve - it has no choice as it moves into areas where errors may cost serious money - but it will be a long process.
    • by sphealey ( 2855 ) on Friday August 16, 2002 @09:18AM (#4082330)
      Sure, Microsoft has to date produced lots of software with security holes "large enough to drive a truck through". However bear in mind that the holes have usually been a consequence of the overriding principle of wanting to keep things user-friendly at all costs. Their past history doesnt imply anything about how secure they can make their stuff. Certainly, Microsoft hires a lot of smart people and I'm sure that if they were given the mandate to design and implement a secure infrastructure, they could do it - something that Bruce seems to think is impossible.
      I would argue that it is in fact the very "smartness" of the people at Microsoft that makes it unlikely that MS will be able to create a secure product. Mr. Gates has explicitly stated (interview in Newsweek about 1995) that when he was hiring people to build Microsoft, he wanted very young, very smart people with no previous experience in the computer industry. And he got them in droves. So these very smart people came in and started rebuilding everything from scratch - without bothering to study the fundamentals or learn about what had been tried in the past.

      So the smart people at Microsoft made every mistake that had been made in computing since 1938 all over again, without knowing they were making those mistakes or what their consequences would be. Networking is a perfect example: in their haste to bring something to market that would displace Novell (keeping in mind that Novell created the market for MS-DOS networking), the genuii at MS built a clumsy, difficult to manage, insecure contraption of a networking system that ignored every lesson Xerox, Novell, 3Com, Wang, and others had already learned.

      And, thanks to the power of the installed base, we are now stuck with Microsoft Networking and its insecurities for at least the next 20 years, because everything has to be backward compatible with what is already out there.

      So I would say a combination of smartness, arrogance, and lack of perspective is exactly what has brought Microsoft code to where it is today. And a corporate culture of that nature is very, very hard to change.

      sPh

  • What is also interesting to note about this article is the hints it gives as to Microsoft's future plans for software security. The idea of having independant secured partitions within a computer is not new of course, but it's nice to note that MS is doing *something* about their rather poor security history. Oh GOD, please pray that they don't integrate Outlook Express with the *secure OS* portion of Palladium
  • Not the MPAA's bill. (Score:3, Interesting)

    by Anonymous Coward on Friday August 16, 2002 @08:55AM (#4082212)
    Quite frankly, I'm a little tired of the reactionary way in which any perceived infringement on electronic freedom is automatically associated with the MPAA. For the record, the RIAA works closely with Berman, and the bill is more or less theirs. Jack Valenti has publically distanced himself from the bill, and it's not something the MPAA had a hand in.

    There's a lot of misdirected initiatives out there, but please credit the MPAA with knowing what's right and what's not.

    In layman's terms: Stealing our member companies product: wrong. "Hacking" (I'd prefer "cracking," or simply "script-kiddying," as a DoS attack is not hacking in the traditional sense) a consumer's computer: wrong. Sending Cease and Desist letters and, when those fail, working with the ISPs not to terminate acounts (examples of the MPAA's letters can be found at chillingeffect.org and you'll note they do not include language asking for account termination), but rather to remove the infringing material, IMHO, right.

    I'm an author and a filmmaker, I've worked with the MPAA, I've seen my work pirated, I've heard studio heads freak out about the fact that their product is available on the Internet three weeks before theatrical release. (Anyone who hangs out in IRC knows this to happen.) I see that the problem is real. I also see the MPAA being very defensive, but most certainly not offensive (think strategy, not personal opinion ;) in their fight to stem this tide.
    • by danaris ( 525051 ) <danaris@mac . c om> on Friday August 16, 2002 @10:33AM (#4082783) Homepage
      I'm an author and a filmmaker, I've worked with the MPAA, I've seen my work pirated, I've heard studio heads freak out about the fact that their product is available on the Internet three weeks before theatrical release.
      First of all, let me say that I am in no way affiliated with anyone in the industry, and, as such, am basing my comments entirely upon what I have been able to glean from other people's accounts. Thus, if anything I say is incorrect, please feel free to correct me--I am always looking for a better understanding of this subject.

      I don't think any of us here will disagree that piracy happens, and, to individuals such as yourself, it might truly be a problem. However, our two main gripes are 1) they're going about fighting it in all the wrong ways, and 2) the amount of money actually lost to the RIAA through piracy is so small as to be insignificant (to them; if any of us actually got that amount of money it would probably make us very happy), and, from what I can tell, only a very tiny fraction of that would get back to the artists/movie makers/etc.

      To address these points more fully:
      1) Yes, the piracy happens, and digital piracy happens, but by far the biggest piracy is analog. Most of the problem isn't people ripping a DVD of a movie and distributing that (though it happens); the problem you mentioned, movies appearing early, is usually accomplished by some insider (or semi-insider) leaking it; they have access to the original source material, so none of this would stop them from copying it. The other problem is that they are assuming the consumers are all thieves, and thus punishing everyone for the sins of a few. What they could be doing instead is looking for better ways to make buying the product attractive (like dropping prices or something).
      2) The RIAA/MPAA talk about numbers of pirated copies sold in a certain period (side note: how the heck do they even know? Do the pirates tell them??), and take those, with the amounts they would have been paid, had all those copies been bought from them, and come up with an amount that they call the amount of money they've lost to piracy during that period. The first problem with this is that, if they had not bought the pirated copies, most of those people would not have bought anything from the RIAA/MPAA. Then, even if those numbers were correct, I think they could afford it. How much do they spend on campaign contributions a year? I would bet that it's at least as much. And, of course, the "poor artists" who are being robbed by the "evil pirates" would get very little of the money.

      Once again, if any of this information is inaccurate, please do not be offended; instead, simply tell me what I've gotten wrong.

      Dan Aris
  • I wouldn't get too worried over MS actually following through with PD. The fact is that security is so often a trade off for functionality, and that MS has ususally errored on the side of functionality, not security. That's a tough habit to break. If they follow through with a "trusted" system, they are pretty much guaranteed to end up with a system that is not user friendly because it doesn't trust the user. I know this is a simplistic way of looking at the problem, but we've seen plenty of MS research that never left the ground and received plenty of hype.
  • Out side USA (Score:3, Insightful)

    by t_allardyce ( 48447 ) on Friday August 16, 2002 @09:03AM (#4082256) Journal
    What does the bill say about foriegn piracy? will the RIAA be attacking systems that are outside of the USA? If American soldiers came over to another country and killed/kidnapped someone there would be hell to pay (ignoring Afganistan lol). Like wise, if the SAS went to America and did the same, there would also be hell to pay.

    "To me, it's another example of the insane lengths the entertainment companies are willing to go to preserve their business models. They're willing to destroy your privacy, have general-purpose computers declared illegal, and exercise special vigilante police powers that no one else has...just to make sure that no one watches "The Little Mermaid" without paying for it. They're trying to invent a new crime: interference with a business model."

    Thats got to be the best way i've heard it put so-far.
  • There's nothing in Pd that prevents someone else (MPAA, Disney, Microsoft, your boss) from setting up a partition on your computer and putting stuff there that you can't get at

    now what the hell is this gonna be for? data on MY hard drive that MY computer cannot access? sounds like storage or something to me (spyware?)...
    will i see any money for this (i.e. "rent") for the hard drive space that i dont get to use now?
    i dont care how much or little this will take up, but i am going to want that space
  • by pmz ( 462998 ) on Friday August 16, 2002 @10:03AM (#4082597) Homepage
    Amendment IV.

    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.


    How is my hard drive and RAM different from my "papers" and "effects"?

    Let's say I have 3,000 VHS videocassettes in an home owned by me. Those cassettes contain blatantly illegal copies of The Country Bears, which I intend to sell for profit but haven't, yet. The FBI cannot break into my home at any moment to see whether the videocassettes are there; they have to wait until I sell them carelessly leaving a trail right back to my home. Only then, with a warrant in hand, do they come and confiscate the cassettes probably arresting me, too.

    Let's say I find a way to copy one of those videocassettes onto my Palladium-equipped PC but haven't distributed it, yet, even though I intend to. Will there be something about this act that triggers Microsoft's piracy alarms? Even though I haven't technically broken the law, yet, can Microsoft or their hit-men enter my computer without a warrant and delete that movie?

    How is entering my computer through a network interface different than entering my home through the front door?
    • Actually, you're mistaken. If the FBI learns you have 3000 VHS cassettes containing copies of The Country Bears, and catches wind of your intent to sell them, they can nail you well before you actually carry out the act. That's the definition of conspiracy.

      Likewise, the police don't have to wait for you to attempt murder if they know you're planning one. Authorities can arrest and convict you merely by proving intent.

      • ...they can nail you well before you actually carry out the act. That's the definition of conspiracy.

        This is fine, but what if the conspiracy is totally stored within the mind? In either case, whether the movies are in my house on cassettes or on my hard drive, there is no clear external sign of intent.

        The point I'm trying to get at is that Palladium might be a means of allowing me to be labeled a conspirator without there being real proof of it. In my post, the movie had simply been copied to the hard disk, which, in itself, doesn't break the law. The intent to distribute it isn't stored on the hard disk but the mind. Without proof of that intent, Microsoft, the RIAA, and /or the MPAA are, in my opinion, infringing on my Fourth Amendment rights by sneaking in to perform their brand of justice.

        While we're at it, the First Amendment (free speech) and the Sixth Amendment (the right to a trial) should be considered, too. If Microsoft, the RIAA, and the MPAA think they can bypass the U.S. Constitution, of all things, in trying to preserve their way of life, they are arrogant beyond belief.
    • You're misinterpreting the search and seizure laws we have in this country. The FBI can go anywhere and do anything it damn well pleases, as can any law enforcement organization. However, not possessing a warrant simply means they can't use the evidence against you in court. A lot of dirty cops will search and/or seize cars and houses of suspected drug dealers without warrants of any kind without ever intending to prosecute, hoping that enough harassment will get them to roll over on THEIR dealers. This is what current drug laws in the US allow.....and it's gotten worse with the Patriot Act. Be afraid....
  • Or have we all just given up commenting about it... Bruce's name is spelled wrong in the headline.

    Sheesh...
  • "[TCPA / Palladium] provides a computing platform on which you can't tamper with the applications, and where these applications can communicate securely with the vendor."

    Does it concern anyone that Microsoft, Oracle, AOL, Disney, etc... would have control over your computer if this standard is implemented (and you use a windows platform)? Does it concern anyone that corporations and governments could delete anything they found objectionable?
    Truth is: had the US government realised how big the Internet would become and how free information would flow, they never would have allowed it. With TCPA / Palladium, governments and corporations will kill the freedoms we now enjoy on the web, usenet, ftp, etc.

  • by jarrell ( 545407 ) on Friday August 16, 2002 @11:02AM (#4082960)
    I find it entertaining that after all these years, someone is finally re-implementing Multics...
  • "Microsoft can't afford to have the media companies not make their content available on Microsoft platforms, and they will do what they can to accommodate them."

    I think it is the other way around. No media company can afford to offend M$. There are lots of media producing companies, and about 5 real OS manufacturers. M$ has the BIG stick in this case not intel or amd or any computer or software manufacturer.
  • The mere need for Pd wouldn't exist if it weren't for the fact that Windows is a single-user operating system hastily and badly written as a pseudo-multiuser OS with inherently poor and hackable security. Microsoft Windows is what would've happened to the original Mac OS if Apple was successful in hacking their old Mac OS (pre-Mac OS X) to work as a multiuser, multithreaded OS, IMHO.

    The only thing that made Windows different from the old Mac OS in terms of security is that the Mac OS never reached a critical mass of users. So, as a result, virus makers never bothered to make the volume of viruses or hacks to penetrate the old Mac OS.

    Microsoft, IMHO, is trying to simply wrap up their inherent inability to write anything with sufficient security by making a product, and charging users for something they should expect as part of any trustworthy operating system's initial cost of purchase.

    Of course, there's no guarantee it will work as advertised--another Microsoft trait.
  • Is it just me, or am I wrong to be suspicous that any company would have the blatant ego to release something like Palladium, which could have the capabilities of squashing all competition, in light of an antitrust trial?

    It looks like the Bush Administration wants the DOJ to give Microsoft a slap on the wrist, however. Even though they've been found guilty of leveraging their Monopoly powers to squash competition.

    I'm not going to point to any conspiracy theories, etc., just a gut feeling. Could it be that the Bush Administration secretly wants Microsoft to deploy Palladium?

    If Palladium is as bad as people are saying it is, it has the capability of forcing every computer user who wants to use the internet in a meaningful way to use the same exact (or very similar) system as everyone else.

    Imagine that MS deploys Palladium, then announces that they are going to "cooperate" with the Office of Homeland Security, allowing them to use the capabilities of Palladium to "fight terrorism."

    Working together with Microsoft, the government could suddenly have access to everyone's hard drive. Not only in the United States, either, but on any PC in the world that is running on Palladium hardware. Unplugging your PC from the network won't even be an option if you are required to be connected to use any software.

    And of course, anyone who resists upgrading to Palladium after a certain period of time would not only be pictured as being against capitalism by refusing to spend money to upgrade their PCs, but would also be seen as aiding the terrorists by using non-Palladium hardware.

    They could also justify a military raid of Southeast Asian countries for producing "terrorist computer hardware," in other words cheap computer hardware that is not Palladium-enabled.

    I might be a bit alarmist, but it seems that some of the capabilities of Palladium are very much aligned with the Bush Administrations current track record of curtailing our civil liberties and screwing around with other countries in the name of "fighting terrorism."

    Additionally, though I'm still skeptical, I'm becoming more and more convinced of the possibility that the Bush Administration knew about what was going to happen on 9/11 at least a few weeks before hand.

    I certainly hope we don't start seeing "Palladium-enabled" purchacing kioscs at our supermarkets and so forth, but it wouldn't surprise me. Revelation 13 is seriously starting to freak me out.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (3) Ha, ha, I can't believe they're actually going to adopt this sucker.

Working...