Researchers Looking at Alternatives to Palladium 221
An anonymous reader writes "Some folks at Stanford have been looking at an alternative architecture for doing trusted computing (ala Palladium) based on using Virtual Machines. They presented a brief paper describing their work a couple weeks ago at the USENIX Workshop on Hot Topics in Operating Systems . In their paper they also discuss a bunch of non-DRM applications of Trusted Computing such as distributed firewalls, improving P2P security, preventing DDOS, and even strengthening civil liberty protections."
Well for a start. (Score:1, Funny)
There's nobody stoping... (Score:5, Insightful)
The fact is DRM takes away the PEOPLES' rights to choose who to trust.
Re:There's nobody stoping... (Score:4, Insightful)
DRM lets you send stuff to people you don't trust, because you trust that the software will prevent the people you do not trust from taking actions you wish to prevent.
It has nothing to do with defining who YOU trust.
Re:There's nobody stoping... (Score:4, Insightful)
Re:There's nobody stoping... (Score:3)
If you don't like it, don't use it. I won't buy anything that "limits" my fair rights uses. If everyone else takes the same stance, it'll flop and the industry will move on to another way to screw people. If people do accept it and it becomes the defacto standard, I'll just have more money in my bank account to put towards a new car...
Re:There's nobody stoping... (Score:5, Insightful)
For instance, a book publisher can not sell you a book you're not allowed to resell. They also can not forbid you from reading a book more than once or reading the book to your child.
DRM enables copyright holders to completely eliminate used sales and move the entire world to a pay-per-view world. Even more, it allows the copyright holders to have a perpetual copyright; one that will never expire for as long as the work is encrypted.
You will not "own" anything. Sure technically you own your DRM'ed digital music downloads, but just try to resell them.
The "value" of DRM'ed goods is significantly less than physical goods, but people won't realize that until laws get put in place forcing retailers to mark these goods as such.
Re:There's nobody stoping... (Score:2)
Re:There's nobody stoping... (Score:2)
"
But they do it at the cost of your freedom. They could keep us from copying their stuff by making it explode upon purchase, to, but at what point do you say its ust not worth it?
disclaimer: I did read your second paragraph, and I agree with you fully. I'm just replying because I know you're not the only one that feels that way
Re:There's nobody stoping... (Score:3, Interesting)
Well ya, you're right, but in the case it's be used, we are the people the RIAA, MPAA and everyone else doesn't trust. We, being anyone with any form of access to a computer.
So the question (or just one of the main) is, Why should I invest in a platform that will keep me from copying/burning/reading/deleting/modifing/anythin g else you c
Re:There's nobody stoping... (Score:2)
Because it isn't YOUR DATA?
Forget the RIAA and MPAA for a moment. The world does not revolve around geeks ripping DVDs and CDs. Sta
Re:There's nobody stoping... (Score:5, Interesting)
I saw an ad for a DVD that said "Own [some movie] today on DVD". It did not say, "License [some movie]".
Therefore, they are selling me a copy of that movie. By the doctrine of First Sale, it is mine to do with as I wish, including cracking the CSS or region coding, folding, spindling, or mutilating, reselling to someone else.
The only thing that I may not do is reproduce it for other people, since I don't hold the copyright.
MPAA refuses my money (Score:5, Insightful)
Not only that, but the MPAA commonly encourages piracy.
Let's say I want to see "The Two Towers". It is no longer in theatres, can't go there. It is a LONG time before they sell a DVD; so I can't pay them that way by buying a DVD. The only alternative is to obtain somehow a pirated DVD copy of "The Two Towers".
No way should they whine about money-loss to piracy when they aren't selling it in the first place! There is a demand for their product, and in this example, they refuse to meet it in any way.
Re:MPAA refuses my money (Score:4, Insightful)
So if someone won't sell you something you want, it's ok to steal it? For God's sake, grow up! Learn to wait a couple of months for the dvd to come out.
Re:MPAA refuses my money (Score:2)
I never said anything about stealing. The only way you can seal "The Two Towers" is to break into some Time-Warner vault and swipe a copy.
" For God's sake, grow up", to quote you.
Re:MPAA refuses my money (Score:2)
Now here's MY answer to your question:
"So if someone won't sell you something you want, it's ok to steal it?"
The answer is "yes".
If you refuse to allow someone(as in anyone) to see it in exchange for something, you lose the right to deny someone(as in anyone) seeing it.
Once you are willing to part with it for a price, you may deny those who wont pay that price.
That
Seeing The Two Towers (Score:2)
Let me see, I can drive hundreds of miles to your theatre to see it, I can drive to any place where it is stored to break in and steal a copy (some other guy suggested stealing), or I can get a pirate DVD copy somewhere.
What is missing is the option to buy a copy from the movie studio. Sure, they will come out with it eventually, but every day they refuse to sell a DVD that people will give them good money for is
Re:There's nobody stoping... (Score:3, Insightful)
Re:There's nobody stoping... (Score:2)
Your analogy doesn't make any sense to me. In order to HAVE the car keys, they must be given to you first. If you must be trusted in order to be given the car keys, then having the car keys implies that you are trusted.
If you have zero trusted systems, you have zero points of failure, and 100% security.
So you've got zero systems setup at home then?
Re:There's nobody stoping... (Score:2)
Your analogy is a bad one, because it implies to the layman that trusted computers are keeping your computer secure, when they are just as likely to be serving a task totally unrelated to security, and only incidentially (sp?) providing a wide open front door to your network.
This mis-interpretation is one that Microsoft and friends appear to be encouraging, and it would be better to spell out the difference for the layman
Re:There's nobody stoping... (Score:1, Insightful)
Re:There's nobody stoping... (Score:2)
Re:There's nobody stoping... (Score:2)
Re:There's nobody stoping... (Score:2)
Wrong, DRM gives everyone the power to choose who to trust. That's why you hate it - because you don't want the content companies to have the power to choose whether or not to trust you!
But the shoe fits both feet. You also gain the power to choose who to trust. For example, you could join a P2P network and choose whether to let people in with clients that are going to cheat, send bogus data and flood the net. It's your decision.
A
DRM != Trusted Computing (Score:4, Insightful)
The problem is that the trusted layer *must* be small so that it can be completely verified. Applications can't be so easily verified and it would still be possible to compromise Outlook, for example to send unwanted EMail. All the signature does is to say that the software hasn't been modified, but we know that applications don't need bad code to misbehave, they only need the right kind of bad data. Once the code has been signed, it must be signed again verey time it is patched. A far from simple logistical problem.
OTOH, smaller code may be more easily verified - so a driver for a Smart Card reader could be protected, as could SSL. However a programmer can still make a mistake and allow the code to be compromised.
DRM is not automatically bad! (Score:3, Interesting)
That is not DRM, that is encryption! (nt) (Score:3, Insightful)
Re:That is not DRM, that is encryption! (nt) (Score:2)
Encryption is when data is encoded so that only people with access to the a key can decode it. DRM involves encrypting data so that your computer (or DVD player etc) can decrypt it, but only on the condition that your computeris user hostile and controls what you can do with the data.
The crucial element in DRM is not the encryption but the making your computer
a Good Thing (Score:5, Insightful)
Re:a Good Thing (Score:5, Insightful)
Microsoft does have the power to do whatever they want with their operating system. Yet, for some reason that does not matter to me. I am not forced to use it, see? As long as there are some alternatives (and there are right now if you are willing to learn), I will be fine. More people need to be made aware of the alternatives, is all.
And to everyone who says, but what if Microsoft and some media companies get together to make some kind of system that ensures that content distributed in this system could only be used in extravagantly restrictive ways?
Well, darn, I guess I will not buy that content. I suppose I will just continue consuming media in all the other ways it is available to me that are easier and cheaper.
Some guy asked a better 'what if' recently in another discussion on Palladium. What if systems using this technology are required to access the Internet?
Oh, Microsoft controls the Internet now?
This is just another silly copy protection scheme, nothing more. As are any alternative silly copy protection schemes. Take the tinfoil hats off, folks.
Re:a Good Thing (Score:2)
I can't really see that happening anytime soon. The Internet was designed to be open, for anyone to be able to connect to it. Palladium and the Internet Protocol are quite incompatible, in purpose if not in technology, and any attempt to graft one onto the other is going to be messy at best.
Besides, with so many Unix/Apache servers out there, many bei
Re:a Good Thing (Score:2)
Re:a Good Thing (Score:2)
No, but what if your ISP required a Palladium-signed ID to sign on? Or your company VPN required a Palladium key to permit remote access? Never mind the prospect of requiring Pd elements to view online content, which to most users is "the Internet".
The danger is not in the tool, it's in the deployment. Lock-in
Re:a Good Thing (Score:2)
Did you even read the PDF? That is exactly what they describe. They want to replace IP (internet protocol) with IPsec (secure).
This is just another silly copy protection scheme, nothing more.
It's a huge issue because it isn't just about music sales and movie sales. Everything on computers and on the internet is subject to "copy protection".
Did you co
Too bad... (Score:5, Insightful)
Guess which one is going to matter?
Re:Too bad... (Score:3, Interesting)
Re:Too bad... (Score:4, Insightful)
"One is proposed by some folks in Stanford, the other is proposed by Microsoft and Intel.
Guess which one is going to matter?"
Neither.
Re:Too bad... (Score:4, Insightful)
Bob was an OS?? (Score:3, Interesting)
Wasn't Bob basically Clippy the first?
Re:Too bad... (Score:2)
Re:Too bad... (Score:2)
Let me try: they know how to use Google. No?
Vulgar Slang (Score:4, Interesting)
1) A safeguard, especially one viewed as a guarantee of the integrity of social institutions: the Bill of Rights, palladium of American civil liberties.
2) A sacred object that was believed to have the power to preserve a city or state possessing it.
I believe that city is called Microsoft.
"Bill of Rights"... whaaaahahaha.
---
At any rate, I have only one more word to say about Palladium. You can read all about that word here [reference.com]
Faking out Palladium? (Score:5, Interesting)
Moreso, would it be possible to fake out Palladium-dependent software by running it in an emulator that simulates the undelying Palladium subsystem?
What does a program REALLY KNOW about where it lives?
Wow, This is JUST like "The Matrix".
Re:Faking out Palladium? (Score:3, Interesting)
Re:Faking out Palladium? (Score:2)
Re:Faking out Palladium? (Score:2)
Re:Faking out Palladium? (Score:2, Interesting)
That said, palladium will probably be cracked/reverse engineered withing months or weeks of its release. at which point, microsoft will blow a head gasket and demand the immediate execution of whoever is responsible.
We need to fight this technology. I know it will be possible to turn it off at first, but this will surely cease to be possible. what palladium and other DR
Re:Faking out Palladium? (Score:2)
As soon as they're putting the keys in a chrysalis box, I'll let you know. But until then, it doesn't really matter how hard it is, so long as one single person can crack it. Really, I can't say I've read too much about how it works, but likely it'll have MS/Intel's _public_ key stored so that it can check the certificates of code that you try to run to make sure that it's trusted.
Re:Faking out Palladium? (Score:2, Informative)
Every palladium-disabled machine out there will have a different key. Getting the key out of one won't help you get the key out of another.
Really, I can't say I've read too much about how it works, but likely it'll have MS/Intel's _public_ key stored so that it can check the certificates of code that you try to run to make sure that it's trusted.
Yeah, they will have those public keys in there, but every machine will als
That can be cracked (Score:2, Interesting)
Palladium emulator + the cracked private key for my machine = sharable data
Send both to a friend. Send him whatever data you want. Through the miracle of trusted computing, you can trust that he can read the data.
Re:Faking out Palladium? (Score:2)
Not quite. The real Palladium hardware has a certificate issued by the manufacturer (whose certificate is issued by MS, etc.), which other machines can verify.
Re:Faking out Palladium? (Score:2)
This is kinda where PKI shows signs of breaking.
Maybe someone will write a virus that has as its payload a small distributed network app that hijacks CPU cycles on every PC with Palladium enabled to brute force the BIOS's private key. (You know, because every PC will need to have a copy of the central public key so it can verify signed code.)
Would that actually work? I mean, a **single** point of failure - what would they do - revoke and reissue the core keypair? Is my PC not gonna work if it isn't
Re:Faking out Palladium? (Score:2)
Re:Faking out Palladium? (Score:2)
Nope. Here's how it works:
All RSA keys come in pairs, a public key and a private key. If information is signed by a private key it can be verified as authentic using the public key.
There is a central Certificate Authority (CA). They have a key pair. Everyone knows the CA public key. This is the "root of trust". The system is based on everyone trusting the CA.
The CA contracts with a small number of m
Trusted Computing good, DRM bad. (Score:3)
Re:Trusted Computing good, DRM bad. (Score:2)
Imagine this scenario as an obtuse analogy...
You're driving home late one night in the middle of nowhere when your car breaks down. You walk
to the nearest farm. The farmer is friendly and offers to put you up for the night.
Down the hall from where you are staying is the farmer's "Horny-Young-Minx-of-a-Daughter[tm]".
You could easily wait for the farmer to fall asleep, and sneak into his daughter's bedroom.
You are the "Trusted", the farmer i
Virtual Machines? (Score:2)
We have that today. It's called JAVA. (Trolls, take a hike. Even Kreskin doesn't know when Java's dying.)
Re:Virtual Machines? (Score:2)
As far as I know, Java haven't got any DRM capabilities.
As for the security of Java, I've singlehandedly hacked the VM to be able to get at private functions and variables of other peoples classes. If I can do that, then who knows what evil hackers might do?
Think about it.. what if the only security your bank is utilizing is that your PIN is a private class variable?
Re:Virtual Machines? (Score:2)
Re:Virtual Machines? (Score:1, Troll)
I suppose you think you're funny?
Re:Virtual Machines? (Score:2)
> first virtual machine and it won't be the last.
No, the first one I believe was for Pascal. However, Java is the *most popular* VM as well as one of the most secure consumer VMs ever developed.
Other uses.. (Score:2, Interesting)
Your enemy better not be a geek! (Score:2)
Given all the effort that was put into aimbot network proxies, reverse engineering
graphic card drivers etc, I don't think that this will hold.
As soon as a Trusted Computer is enforced on the masses and keeps geeks from doing
geeky things (cheat on games, watch Startrek, listen to Linkin Park, read NY Times,
run Linux on XBOX), it will be cracked in no time.
The past shows that secure AND cheap chips do not exist. Google for the BSkyB
desaster in UK, if you're not co
Viva la Alternatives (Score:3, Interesting)
Personally, I don't think they can pull it off. But with Stanford looking into an alternative now, this means we'll at least have choices down the line. And I'm sure that both sides will look at what each other does and rip off the good ideas.
Security is important and a verifiable identity is as well. Not just for e-commerce applications, either. Even such simple issues as banning some nimrod that wants to post stupidity on your board can be solved by a solid identity model.
Hopefully, one of em will pull it off.
Actually, that's the evil side (Score:2)
I don't trust MS as far as I could throw Bill gates i
Palladium,DRM = no trust or rights (Score:5, Insightful)
How can DRM "protect rights" when it denies basic rights of fair use?
Re:Palladium,DRM = no trust or rights (Score:5, Informative)
How can DRM "protect rights" when it denies basic rights of fair use?
Ah, but there's the rub. It's not about protecting YOUR rights, it's about protecting the rights of the big corporations. Well not so much their rights as the "rights" they want - i.e. control over your computer and everything you use it for.
Re:Palladium,DRM = no trust or rights (Score:2)
Your... content... ?
The P2P public had the trust of the creative industries--and then Napster came along, and they/we stomped all over that trust. Palladium is trust as in "you can now trust us not to break the law."
Palladium, as I understand it, makes circumventing the system more trouble than its worth. Which, theoretically, would let us get back to our familiar balance of copyright and individual use.
How can DRM "protect rights" when it denies basic rights of fair use?
Fair use is not now and n
My content (Score:2)
My content. I paid for it. That kind of content. Consider the ad campaign for selling DVD's "Own a Movie Today!"
"Oh, and you still have as much fair use as anyone did before the digital boom"
Not really. The real problem is the DMCA. If the DMCA were repealed, DRM would not be a problem.
Re:My content (Score:2)
You do not own the content, you own the media it's on. You merely license the content and are granted limited rights to view it. You cannot distribute it, make derivative works, copy it for other then personal uses, or perform/display it publically.
Not really. The real problem is the DMCA. If the DMCA were repealed, DRM would not be a problem.
Please do explain. I'm guessing you're like ev
Re:My content (Score:2)
You do own the content. However, copyright law puts a "lien" on the content that generally forbids you to redistribute any copies you make.
This is similar to how you "own" your back yard, but the local government retains a lien that prevents you from building a garage within 3 feet of the lot line. You are restricted from doing certain things to your yard, but you don't say that you don't own it. Decades of IP creeping featurism have made people forg
Re:My content (Score:2)
Please do explain.... (Score:2)
The DMCA makes it illegal to "crack" and bypass these copy protection schemes which make it difficult sometimes to even view material on DVD's which you have paid for.
"You do not own the content, you own the media it's on."
Then how come they advertise "own a movie today", instead of "own the disc the movie is recorded on"?
Re:Palladium,DRM = no trust or rights (Score:2)
If it didn't have the capacity to screw you over, you wouldn't be trusting it with anything, now would you?
Re:Palladium,DRM = no trust or rights (Score:2)
Yes. The only reason he followed Frodo to Mordor at all is because Gandalf whispered in his ear that Mordor had a pretty good all-you-can eat buffet.
Which would you choose. (Score:5, Insightful)
From these guys we get Trusted Computing where trusted means trusted by the guys building the network.
So, which would you choose?
Re:Which would you choose. (Score:2)
People will choose the one there's content for, which will be the one trusted by the corporations putting out said content.
The inclination for the average Joe User to become a technological revolutionary sticking it to The Man seems to be overestimated quite frequently here on Slashdot...
Real meaning of trusted computing! (Score:5, Insightful)
The problem is we are looking at the wrong definition of trust. Most of us have in mind the primary definition: "Firm reliance on the integrity, ability, or character of a person or thing" or "Custody; care"
You have to look down the list to find the definition of "trust" that fits perfectly with Microsoft, RIAA/MPAA and the Palladium idea:
"A combination of firms or corporations for the purpose of reducing competition and controlling prices throughout a business or an industry."
Might as well called it "monopolized computing". Means the same thing.
Re:Real meaning of trusted computing! (Score:2)
But that is the definition they are using. Microsoft feels they can rely on the integrity of a Pallidum-equipped computer system.
Note that this says nothing about the user of the computer. (Unless you consider MS a user...)
Re:Real meaning of trusted computing! (Score:2)
The problem with Chemistry.... (Score:2)
Such is life... technology is conspiring to take away my rights to protect me from myself.
Well, I laughed (Score:2)
Re:Well, I laughed (Score:2)
Re:Well, I laughed (Score:2)
So why do we need to develop alternatives?
Call my a pessimist, but... (Score:3, Interesting)
I find this branch of research and publication somewhat disturbing. As legitimate, morally appealing, uses for this technology appear, the opposition should become less vehemently opposed to the technology. It's the rational reaction for rational people. If you still oppose it, you're probably irrational.
We're capitalists, however. Civil liberties have not been terribly profitable products in the past. The old-world investors will not invest in end-point civil liberties protection technologies, and will continue to put on blinders to the true value in information networks--their end-points.
However, perhaps one or two capitalists out there has realized that (1) networks have no inherent value or use on their own, and (2) people are terrified of being ruled by any network. There's a fucking market for civil liberty weapons: tools to defend end-points, tools to protect individual's rights to connect and communicate with any other end-points, tools to insure security and authenticity between any two or more individuals. Justin Frankel's "Waste" is a beautiful start.
On a related, but off-topic tangent, I've got a new buzz-word: Intellectual Macro-Economics, a way to increase the value of the US dollar.
Here's how it works, in magic-bullet glory: Article 1, Section 8, of the US Constitution provides Congress with the power to increase the artists and scientific wealth of the US, providing a mechanism for doing so (limited terms). The concept is to increase the unlimited common wealth of the US (and probably Humanity), by encouraging the creation of new works. For the last 20 years our cultural wealth has been depleted by private interests, looting the cultural commons, robbing us of the creative wealth to build with. In this, the copyright law is our asset which has been mis-managed, and stopped delivering our wealth. To increase our national cultural wealth, require the creation of new works, and consequently increase foreign confidence in the US dollar, increasing its exchange value, we must repair copyright, patent, and trademark law so that the commons will resume growing, and an immediate idea-influx (through a retro-active term truncation) would have massive midterm-longterm beneficial effects.
Another aside. One side of the IP arguement sees the limited terms as the promotion of progress. The other side (ours, and the one that wrote the damned Constitution) sees the progress as the effect of limited terms: an increase in common intellectual wealth, with a "necessary evil" to promote the production of those works. Bleh. Communications barriers. And you thought it was so fucking obvious, didn't you?
Alan Cox (Score:2)
(What are the chances of two Alan Coxes in this field of business!? Bummer for the other Alan Cox. Probably often mistaken as Linus' lieutenant...)
One posible alternative is ... (Score:4, Interesting)
DRM is like viruses: must be filtered out (Score:2)
VMs executing signed code? (Score:2)
Boneh and Rosenblum (Score:2)
Drawbacks vs Benefits (Score:2)
Trust is a good thing (Score:2, Interesting)
So they build t
p2p (Score:2)
Wouldn't it be nice if there was a P2P application [earthstation5.com] that had support for SSL, Proxy's and sets tunneling to prevent ISP's from blocking it?
well thats what the link is. It is still in beta and only available for windows so lets E-mail them [earthstation5.com] about porting it. Or maybe one of you sharp coders is looking for a project. I only know perl so I'm out hehe
Security through overworking crackers (Score:2, Interesting)
Security through obscurity-and-a-bunch-of-hard-work-to-break-it. Basically, the first time anyone skilled figures out the algorithms for the hardware, they can help someone make an emulator.
Then, all you need is the key any "trusted" computer uses. So, you brute force crack your own computer's key by having i
OK, So Let Me Get This Straight (Score:2, Insightful)
OK, So Let Me Get This Straight... When MS does it, it's Pure Evil (TM). When Stanford does it, it's Happy Fluffy Bunnies. I'm glad we're all clear on that.
Trusted means... (Score:2)
Is that so horrible? If you can't stand the thought of running a program without screwing with it, then don't try to tell other people that that's what you're going to do.
All trusted computing means is that you tell other people that you'll run the software cleanly, and they can trust you to tell them the truth. If you can't stand this level of honesty then maybe you
Re:Moron Alert (Score:2)
Maybe you should have thought of that before you agreed to these restrictions as a condition of purchase. If someone wants to sell music and put conditions on it that you don't like, you have every right to refuse to buy it. But if you do buy it and agree to those conditions,
You can listen to it in your car (Score:2)
You can listen to it in your car, but you will have to get a free copy of the song off Grokster or some other such place. This is just another example of how these DRM strategies encourage piracy and discourage sales.
You forgot a BIG part of computer history (Score:5, Interesting)
No, they started out controlled by men in white coats in clean rooms.
The microcomputer and PC revolution changed all this.
The regressive trend back to "Master Control" started with Scott McNelly of Sun Microsystems. I remember when he first laid out his grand vision of returning everything to central control via the Internet. Java was part of this. Microsoft copied the rhetoric, announcing a time when your Word app and even your Word docs would all be on Microsoft's central servers.
To protect and separate system instances (Score:2)
A secure VM implementation allows an untrusted system to be run on the same platform as trusted code. Just say I was running Windows with that new nasty little worm/trojan that does keyboard interception. I can have one instance of Windows for home-banking and another for Email. If the executable code for each inst
what's YOUR problem? (Score:2)