Windows Security GM Talks NGSCB (Palladium)

An article at IT Manager's Journal (along with Slashdot, part of OSDN) reports on John Manferdelli's recent talk at Stanford on what Microsoft is calling for now its "Next Generation Secure Computing Base," or NGSCB (formerly Palladium). Manferdelli is the general manager for Windows security at Microsoft, and his presentation was mostly about the technical, not ethical or other considerations involved in this system. His position is understandably different from those of privacy and free software advocates who assert that Microsoft's elaborate security is designed to lock users into Microsoft software at the expense of privacy and choice.

What it's about:

"Trusted Computing" basically means "you TRUST us, we don't trust you."

A great victory for consumers everywhere.

Re:What it's about:

More accurately it means:

"People who don't trust you can trust your computer to control you."

Re:What it's about:

More accurately it means: "People who don't trust you can trust your computer to control you."

Actually it means that people who do not trust your computer configuration can pass data to you and be confident at some level that it is not exposed.

Palladium is no better for DRM copyright enforcement applications than any other hardware technology. The problem with DRM is that it is break once run anywhere. Palladium like any other hardware enforcement system is breakable, the catch is that you have to break a system that is trusted by the sender of the data.

For copyright control you cannot be any more selective about the destination machine than requiring it to be a palladium machine. So it only taks one palladium machine ever to be broken and you are toast.

For control of sensitive company documents the issue is very different. I can configure my systems so that they only deliver sensitive data to specific palladium pcs that I have designated as trusted and to obtain my documents you have to break those specific machines.

There are still people who complain about this sort of thing. Where would the world be without corporate whistleblowers? Pretty much where we are today, there were no shortage of whistleblowers on Enron, Krugman reported repeatedly in the New York Times, few took notice until Enron collapsed and suddenly it was open season, everyone acknowledged that Enron and co had ben ripping off California...

Security is security, you can't expect technology to enforce your particular set of ethical constraints. Palladium turns out to be very useful for meeting a real business need which in most cases is completely legitimate. I do not want communications with my lawyers to be disclosed. Confidentiality is in general a good thing, it is occasionally a bad thing.

But one thing to consider is that the greater the confidence that people have that their communications are secret the greater the probability they will say something in a permenant form that later compromises them. Nixon discovered this. I don't think that security will prevent disclosure of information about criminal activities and frauds.

Take Diebold for example, if they were cluefull enough to have used DRM to control their internal documents they might have been cluefull enough to secure their Web site to stop an attacker from compromiseing their software to rig the vote. What we need in the Diebold case is not internal company memos with incriminating information. What we need is a reliable security audit.

Re:What it's about:

Actually it means that people who do not trust your computer configuration can pass data to you and be confident at some level that it is not exposed.

That is one element of what it is about.

If they can trust the programs on your computer to do what they want, then those programs can also be trusted to control your behavior and actions.


Palladium turns out to be very useful for meeting a real business need which in most cases is completely legitimate. I do not want communications with my lawyers to be disclosed. Confidentiality is in general a good thing, it is occasionally a bad thing.

There is this thing called cryptography that meets the business need you speak of.

The "business need" that Palladium meets is the need to control users behavior, what software they can run, and perhaps most importantly, what software they can NOT run.


But one thing to consider is that the greater the confidence that people have that their communications are secret the greater the probability they will say something in a permenant form that later compromises them.

If you can't stand up for what you say, then don't say it. And please do not run for public office. Let your "yes" mean yes and your "no" mean no. Say what you mean and mean what you say.

Yeah, wonderful thing here. The ability to say something, and then later take it back, knowing that one can trust other users computers to obey.


Where would the world be without corporate whistleblowers?

This is an interesting issue. What whistleblowers are about is someone who is involved or exposed on some level to wrongdoing and then decides to blow the whistle. Palladium will never stop this. Whistleblowing is about one of a bunch of thieves developing a momentary feeling of guilt. I am not aware of any whistleblowers who obtained their information by snooping in information they were not supposed to have access to. Palladium won't stop whistleblowers. It will just stop you from doing things with your computer that Microsoft does not like.

Re:What it's about:

Actually it means that people who do not trust your computer configuration can pass data to you and be confident at some level that it is not exposed.

TO YOU. That it is not exposed _to you_.

Why do the MS apologists always leave out those little important words that make all the difference!

Re:What it's about:

Fixed link to the article - is here [itmanagersjournal.com]

Re:What it's REALLY about:

Will we keep our right of private ownership of computers?
Will we keep our right of free use of our Net?

ehm... i think it's grotesque that someone would even think of asking these questions.

i also think that the whole 'Next Generation Secure Computing Base' thing is about who will be pimping who.

some time before we'll get the final version of longhorn stuffed down our throats, msft will probably have decided that it's in everyone's (*) interest to expand the trusted compiting base to the full operating system, and we'll be able to forget about using any software that wasn't okay'ed by msft to run on the system. (= signed code?)

maybe we'll see modchips for regular computers in the future too?

better start stroking the penguin sooner than later!

h357 - paranoia est. 1977

(*) everyone = riaa/mpaa members, msft themselves, anyone who pays premium prices to develop software using msft tool

Re:What it's about:

More like: If you work with us*, we'll trust you.



*"Working with us" is defined as not competing with any of our products and offering appropriate compensation by not working with our competitors and agreeing to only develop only for our latest products, helping us enforce the upgrade cycle.

Re:What it's about:

yup. and it means that they are going to do everything in their power to stop us from having any freedom. That includes forcing us to use a BIOS that will only "trust" their OS and thus render most hardware useless except for Windows.

See more here [slashdot.org].

(Please note that this comment mentions that we have to trust them and they don't trust us.)

Re:What it's about:

If you're allowed to...might have to download the "Windows secure BIOS update tool" and only be allowed to flash "trusted" BIOS images

Re:What it's about:

You left out:

Copyright (C) 2002 Richard Stallman.

Verbatim copying and distribution of this entire article is permitted without royalty in any medium provided this notice is preserved.

When you're copying an entire essay, is it really too much to include a few lines at the end, so that people know who wrote it and what they're allowed to do with it? It's not like you have to copy-type it, we have copy-and-paste working reliably now? :-)

Incidentally, the original article included a few footnotes, and is available on GNU's site [gnu.org].

Trust doesn't enter into it at all...

Isn't it more like "you MUST 'trust' us or you cannot access the internet"? That's the eventual goal, anyway.

No one seems scared by this! I'm terrified.

I'm on the Gentoo IRC channel a lot, getting help and giving help when I can. But when I try to bring up the pitfalls of trusted computing, all I get is a 'huh'? or "nah, it will be ok I'm sure".

It's like everyone has their heads in the sand. When the major BIOS makers are going to trusted only computing, where are we going to run our Linux?

Some people say "just buy a Mac". I'm sorry, if I could afford a Mac I would. But since I can't build a brand new Mac for $475 like I did the machine I'm using now, it's going to be a while. And the only reason I built this so cheaply is because I didn't have to pay a Microsoft tax.

I want a machine I can build myself. An OS that I build myself. When I do that, I'M THE ONE WITH CONTROL! Not MS or Dell or Gateway or Pheonix.

Security?

Manferdelli is the general manager for Windows security at Microsoft

Rumour has it, he only works one day a week :o)

Re:Security?

Rumour has it, he only works one day a week :o)

i would think the opposite: his beeper must be going all the time!

Heh

Manferdelli is the general manager for Windows security at Microsoft
The title is also called 'The guy who sits round doing nothing' at Microsoft HQ.

This is a test, right?

So I guess slashdot has gotten to the point where they don't even bother linking to an article since no one actually visits the sites anyway.

Somebody set us up the bomb

All your BIOS are belong to us.

Re:Glimpse of the future

SF author Cory Doctorow [craphound.com] made a similar point in a story /. posted some considerable time ago - it's called 0wnz0red [salon.com].
Doctorow's story calls it "Honorable Computing", and perhaps stretches the capabilities a little further (writer's hyperbole?), but in essence what he's talking about is DRM and piracy:

"Got it: so if the OS and the CPU and so on are all 'Honorable'" -- Liam described quote-marks with his index fingers -- "then you can be sure that the execution environment is what the software expects it to be, that it's not a brain in a vat. Hollywood movies are safe from Napsterization."

Not 100% on-topic, to be sure, but I like Doctorow's story a hell of a lot better than Microsoft's. Go read it, and see where the future might be headed!

Link to article

The link above appears to be to /.
Here [itmanagersjournal.com] is the article on the IT Manager's Journal site.

Perfect article!

It's the perfect article, touches Microsoft, DRM and the evil once known as Palladium! Best of all no one can read the article because it justs links back to slashdot. Everybody can shoot from the hip on this one, because once again the only link in the article wasn't even checked to see if it works. Do stories here get reviewed and selected by a seven line perl script?

Illegal Citizen Activity

I'm getting the message

"Citizen 6767323#2 you do not have sufficient security clearance to access this page, your local Police have been automatically informed of this infraction. Have a nice day"

So I don't think it's Slashdotted.

Upgrade or "Surreptitiously Copy"?

Files within the NGSCB architecture will be encrypted with secret coding specific to each PC, making them useless if stolen or surreptitiously copied.

My concern with this would be what happens when you upgrade? How do they differenciate between new hardware and "surreptitiously" copying files to a different system? I remember all of the Office XP Activiation nightmares, and I can't help but think this will turn into a complete fiasco, too.

Re:Upgrade or "Surreptitiously Copy"?

Actually what scares me most about this is what happens when your motherboard dies, you now have a new pc with the old hardware and no access to your files. Also what happens if you upgrade to longhorn 2010 do you lose access to those files. it is a standard microsoft tatic.

At least some people do understand what's at stake

For those who don't understand what "Trusted" Computing, DRM, NGSCB and friends are all about, but do want to be awakened to reality - here's a red pill [cam.ac.uk].

repeat after me...

Ok, repeat after me...

Every attempt to lock down ID's, every attempt at DRM, every attempt at hardware ID (remeber Intel's great Proc Id idea?) has failed.

Not only has it failed, but the backlash they have caused has made the problem they were to solve worse. True, this is a real threat to peace, love and freedom, but in the end, the consumer decides, and while the unwashed are unwashed, if you piss them off enough, they will find something else, and the tend to find it with a speed that is previsouly to be unthought of (remember Napster?).

Does that preclude us fighting these type of initiatives? No, but at the same time announcing the End Of The World is a bit rash...

What's Next - Scheduled Meetings
Thursdays 2600 GMT

Re:repeat after me...

>every attempt at DRM,

Not sure if you would consider this as DRM but CD-key which are verified online such as HalfLife or Quake3 are pretty succesful.

Also Windows XP activation would also be considered "succesful enough".

Re:repeat after me...

Also Windows XP activation would also be considered "succesful enough".

They were successful? Oddly, I seem to remember licence keys to corporate/enterprise versions of Windows XP before I could even try and purchase a copy.

This didn't change much with SP1, despite the fact that said master keys were removed.

If you only look at Windows XP Home, it isn't pirated much (due to Windows XP Professional being freely available anywhere). Everyone I knows hate it due to the fact that one has to call Microsoft Support every once in a while.

HalfLife didn't check keys in LAN. And I never had problems with Quake3 servers.

So, I'd have to say they aren't in the very least successful.

Acroynm miscommunication

Windows Security GM Talks NGSCB (Palladium)

Was I the only one who initially read GM as Game Master?

Yes, and No

Granted all systems of non trivial size have bugs, but it would seem that microsoft in integrating so many of its products together have left themselves vunrable for many chain reactions. So each bug in windows can have a much more severe effect than an equivelent one in a different enviorment.

optional is good....

if the article is accurate, MS says the trusted computing feature can be optionally enabled/disabled. glad to hear this. what is more relevant is whether the user will have the option to run certain applications in untrusted mode. i fear that software makers will bind users hands.

Sealed storage

Say anything else, but sealed storage is a simple concept, we control what can be saved. What we need to be concerned with is how they secure it. If sealed storage is at the hardware level, then the "sealed PC" MS has been seeking for years will be a reality.

How can you install Linux, BSD or WinXP if the device itself requires the OS to authenticate? You can't. Sure you may be able to crack a work around, but what company will run software that is in place via crack?

This brings up the next issue, what happens when you replace your box? We have heard of all the fun people have had with XP licensing and system upgrades. Do you get to keep all those MP3s or do they not belong to the box. If you can authenticate on a second box, then you really don't have a secure system using the box.

While MS likes to dismiss these as "we are working on it" they will again be in a position to dictate their use. By the time grandma learns all here files are now secure and she must pay to move them to her new box, it will be too late. This idea that we can somehow wait for MS to figure out a solution in secret that we can all live with is crazed.

If we are going to take a secure machine approach it will need to be a standardized one, open for all to use. I don't think we will see MS jumping to support that concept.

Absurd

Microsoft sells an OS vulnerable to buffer overflow exploits.

The obvious solution for secure computing -- better quality control on their code.

The Microsoft solution -- anything but better quality control. Limit the user's control of the machine. Enact a code-signing scheme. But, whatever you do, don't make us audit millions of lines of our own code.

Re:Absurd

Actually they're doing both. Much of the .Net initiative is about managed code which will eliminate buffer overflows, thus eliminating security exploits. Longhorn will be built with a lot of managed code.

Palladium, however, is about extending this security at both ends. The internet is great but it suffers from being based around the notion of naive trust instead of verifiable, secure trust. While this worked in the eary days of the internet, it simply does not work now. With computers being connected via broadband and always connected to the internet, OSes and the way they communicate internally and externally have to begin to build a system whereby they can verify, and thus trust, those communicating with the system, whether it be via IM, e-mail or through VPN.

Simply put, the internet is no longer a hobby. It is quickly becoming as important a part of our infrastructure as electricity and roads, to name a few. To this end, there must be a way to ensure that communication via the internet is secure and can be trusted. Palladium is only one method to obtain this trust.

Re:Absurd

"The internet is great but it suffers from being based around the notion of naive trust instead of verifiable, secure trust. While this worked in the eary days of the internet, it simply does not work now."

"Simply put, the internet is no longer a hobby. It is quickly becoming as important a part of our infrastructure as electricity and roads, to name a few."

Indeed. That's why my telephone will not allow me to dial someone while it registers that I'm playing music in the background. It's also why all my mail is opened by the post office to ensure I'm not shipping any copyrighted material in it, and why my electricity shuts off when I try to use it to play a CD I've borrowed from a friend. And why my car will shut down if I go over the speed limit.

Oh, wait, that's not at all how it works, is it?

Secure, verifiable trust has never been part of our infrastructure, and the internet does not increase the need for it.

Communication over the internet is not secure, but then neither is any other form of communication wether by mail, fax, phone or physical delivery, unless you take certain steps to ensure it is.

Not about trusting Microsoft

The bottom line: Do you trust Microsoft? That's ultimately what this is all about.

I don't understand what it is about these technologies and their evangelists that makes it so easy for them to wooll over listeners and analysts eyes. I mean, the author of the article quotes Stallman's and Sulzberger's comments, but they seem to go in one ear and out the rest.

This isn't about whether one trusts Microsoft. People who dislike Palladium and TC are not tinfoil hatters who think that once it is deployed Microsoft will use it to take over the world, or whatever. The bottom line is exactly what Sulzberger says: How much control should users have over their own systems.

Microsoft's representative covers this up in invented technical terms, and talks about "security" and "trust" because those words sound good to the uninitiated, but that is just a smokescreen for the true neature (not a lie - they are upfront about what the system includes, they just spin it so people Chris Preimesberger will miss the point).

The point is this: every piece of "security" and "trust" that can be gained from Palladium is gained by palladium taking away from the user control of his own computer. Once that control is removed, ISPs can "secure" and "trust" that the user has his system configured as they mandate (see the Cisco router story). Microsoft can "secure" and "trust" that their software is licensed and registered. The record companies can "secure" and "trust" that their songs cannot be copied, ALL BECAUSE ULTIMATELY THE COMPUTER, NOT THE USER, IS IN CONTROL!

The question he asked "Does Microsoft have a back door" is stupid. Nobody serious believes that Palladium contains a backdoor so that MS can take over the computer. They believe the point with Palladium's design is that software can be installed with restrictions that the user cannot circumvent, and that people will be forced into installing such software, hostile to themselves, on their own PCs, in order to exchange data and connect to the Internet.

The reported responses from the MS representative give us absolutely no reason to answer "no" to either of Sulzberger's questions, even though the article claims so. In fact, when MS say things like, "We are building a scalable, distributed credential-based security model here," and list features of "attestations with authenticated code that is affiliated with only that particular process" - that is exactly what Sulzberger and Stallman are talking about. The Palladium computer will attest - BEYOND THE USERS CONTROL - whether the computer is running software that is "trusted" by the counterpart and hostile to the user, exactly so that the counterpart can mandate the use of such software (read DRM).

The fact that Microsoft tell us that the code will be open for review gives absolutely no confort. It is not the code, but the very concept of Palladium that is frightening beyond belief. Apparently Microsoft have nothing to fear regarding being open about it, as for some reason so many people cannot seem the grasp the point that Stallman, Sulzberger, and myself scream into the void!

An interesting propagana technique

Manferdelli is the general manager for Windows security at Microsoft, and his presentation was mostly about the technical, not ethical or other considerations involved in this system. His position is understandably different from those of privacy and free software advocates who assert that Microsoft's elaborate security is designed to lock users into Microsoft software at the expense of privacy and choice.

This is a classic example of a propaganda technique. An organization with an goal that is unpopular casts a spokesman as an authority on that goal, but only on a narrowly defined scope. This serves to limit the terms of the debate, as well as to get people to accept tenets of the organizations goals.

In this case, Manferdelli is only an expert on the technical aspects of secure computing. The concept of secure computing is something that a lot of people opposed to Palladium actually accept. It's possible to win converts or at least marshall good PR by getting people to "agree" with Microsoft's technical goals, even when they disagree with the larger implementation and motivation.

This technique is common in totalitarian countries. For example, you may be opposed to Nazi eugenics, but Dr. X, who is only an expert on the medical problems associated with poor breeding, can quickly have you agreeing that birth defects and disease are bad. Once you're that far, why, the overall issues and conclusions of eugenics are much more reasonable and less objectionable.

Overall, this technique works great, and you might even find it in use in your place of work. You limit the scope of debate, removing the things that people really object to, and then get them to agree to things "on their own merits", which makes the overall plan more palatable.

Re:Doomed from the start

I see no reason why human ingenuity is supposed to freeze at the point this technology is released...

I see a reason: DMCA. It won't stop people, but it will chill public disclosure and freedom of speech, as we know from experience. It can stop the knowledge from reaching a critical mass. People who would circumvent DRM and Trusted Computing are a minority, and if the DMCA can keep it that way, we will never reach critical mass and stop DRM and TC.

Is he serious?

Today most people who have a computer do not really completely control their computer. They run a Microsoft OS, and they will never put any sniffers on their connection to the Net. Viruses, Trojans, and worms parasitize their machines. In general, it is hard to get any Microsoft system to do what you want. But some folk actually have pretty good control of their computers. Palladium is designed to ensure the continuation of the situation for most users, and to prevent the sale and use of computers which can be controlled by the user. [emphasis mine]

Let's take this apart:

do not really completely control their computer. They run a Microsoft OS...

Quite true - those who run an MS OS have very little control over what their machine does. They don't have the source, so they can't fix the bugs, and their machine is constantly prone to virus infection.

In general, it is hard to get any Microsoft system to do what you want.

Nothing new, this has been the case for quite some time...

But some folk actually have pretty good control of their computers.

Translation: some folks use Linux.

Palladium is designed to ensure the continuation of the situation for most users, and to prevent the sale and use of computers which can be controlled by the user.

Translation: Party's over folks. We're going to make it so that you can't install Linux, because we don't like it. I really can't say enough about how evil this is: they want to take control of a person's PC away from the owner?! Consider what kind of mindset would want complete control over someone else...

Some features Microsoft will introduce in the future:

• Web publishing fees. For an additional $15/month, you can use your MS Palladium enabled OS to publish web pages! Of course, you'll still have to pay for hosting.
• Developer licensing fees. Now Microsoft has made it easier than ever to develop for Windows! With the new bulk discount program, royalties are charged only when someone buys your program.
• Annual subscription rates: The new annual rate of $350 saves you $10 over the $30 monthly rate!
• Free automatic system cleanup - brought to you by the RIAA and MPAA. For an additional $5/month, System Cleanup will ensure that you have no infringing copies of copyrighted works. Avoid a costly RIAA lawsuit!

This is evil, pure and simple. It's not merely designed to stop copyright infringement - this is designed to force anyone who uses a PC to pay annual or monthly subscription fees to Microsoft.

Yeah, I know. But what should we expect from a convicted felon?

I guarantee I will not buy a Palladium equipped PC. I'm serious - I'll start building my own from processor and circuit board if I have to.

Microsoft's agenda

Emphasis added...

"Today

most people who have a computer do not really completely control their computer. They run a Microsoft OS, and they will never put any sniffers on their connection to the Net. Viruses, Trojans, and worms parasitize their machines. In general, it is hard to get any Microsoft system to do what you want. But some folk actually have pretty good control of their computers. Palladium is designed to ensure the continuation of the situation for most users, and to prevent the sale and use of computers which can be controlled by the user.

If you don't read that closely, it might look like he's talking about how viruses and worms reduce many people's control over their computer. But he's really saying that Microsoft wants to ensure that everyone doesn't really control their computer.

"Since today

Microsoft's control is not complete over machines running a Microsoft OS, many home users copy and re-distribute popular songs, whose copyrights the home user does not have. So the real issues are not clear, and discussion of Palladium in most newspapers is centered on political questions of copyright law and practice."

What's not clear? He all but says that Microsoft wants to control your computer to stop you from copying songs - and, I assume, software.

Really, I was expecting something at least a little subtle.