Talk:Next-Generation Secure Computing Base/Archive 1

This page is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

This page is an archive of previous discussion held at Talk:Palladium operating system (which has now been moved to Talk:Next-Generation Secure Computing Base). See that page for current discussion. Note also that this is not a forum for discussing the technology itself, only the Wikipedia article about it.

Opponents of this idea regard this is an ironic development, as Microsoft has a famously poor record in software security, with weaknesses in the security stance of their existing software being one of the prime causes of computer insecurity. One of Palladium's developers, Paul England is quoted by MSNBC as saying "I firmly believe we will be shipping with bugs".

Anticompetitive

Opponents of Microsoft's Palladium initiative characterise it as an attempt by Microsoft to close the PC architecture, thus entrenching Microsoft's monopoly in PC operating systems into monopoly control of the entire PC industry, both hardware and software. In addition, Microsoft would also be in a position to control the market for digital rights management, and would effectively control the digital entertainment and publishing markets.

Whilst it would appear inconcievable that the PC and entertainment industries would accept this state of affairs, it is possible that Microsoft will succeed in forcing the PC industry to adopt the Palladium technology, using its marketing muscle and leveraging its existing monopoly in desktop operating systems. This could occur because of the competitive advantage that Palladium could offer to existing hardware incumbents, who might believe that they can use it to "lock in" their current dominant position in the hardware market. However, they could pay a high price for entrenching their position, by becoming dependent on Microsoft for the necessary licensing IP needed for access to the new PC market.

The entertainment industry would then have little choice but to go with Microsoft's initiative.

Compulsory

A Microsoft employee is on record as suggesting that the adoption of Palladium or similar technologies would have to be compulsory to be effective: see Ross Anderson's FAQ for details. The only way that this could be accomplished would be by making the adoption of Palladium-type technologies compulsory. This would have the effect of forbidding the sale of general-purpose computers.

Untrustworthy

Palladium puts the security chip in control of your computer. The controller of the security chip now has, if they desire, absolute control over everything that goes on in your computer, and access to all the information that it contains.

See below for why this is a thorough misrepresentation of the argument.

Microsoft already appears to be willing to take over control of its users' computers. Microsoft is reported as having already changed their EULA for their existing operating systems to allow them to install any software that they may wish on your computer, at any time. (This relates to the EULA for the 2002 security patch update for Windows Media Player: see the Register story cited below).

For years people have criticized Microsoft for inadequate security engineering. Now that they are engaged in a major effort to address this deficiency, including Palladium, they are being criticized for doing that, too.

Voluntary

Palladium is a completely voluntary system. Each user is free to enable the Palladium technology or not. If they choose to turn it on, it is because this provides access to content and services which are valuable to the users.

Use of Office 2003 is voluntary, but many are effectively forced into using it in order to gain compatibility with other Office users. Microsoft is more than capable of using its desktop monopoly to push people onto Palladium enabled systems, and due to the design of the system it will be impossible (not to mention illegal under the DMCA and equivalents) to reverse engineer it in order to design compatible software. Faced with no alternatives, users will therefore be forced to use Palladium. This does not qualify as voluntary. Lezek 02:08, 17 Nov 2003 (UTC)

No one is putting a gun to anyone's head here. Nothing forces anyone to (A) use a computer; (B) choose a computer that is based on the Intel architecture; (C) run Microsoft software on that computer; or (D) in the future, enable Palladium. All of these are as much voluntary choices as their career, their job, and their personal habits. None of these are compelled. For all of their choices on these questions, people make them because those are what bring the greatest value in terms of achieving their goals and satisfying their needs. These are all voluntary choices.

Just as there is a difference between being forced to do something and being compelled to do something, there is a difference between being compelled to do something and that something being entirely voluntary. If you work in an office today, the chances are your office will use Windows and that your job will therefore involve use of Windows. You could change your career and become a bricklayer, but this is not realistic. Similarly, if you own a business, then the chances are you will use Windows and Microsoft Office, not out of choice, but because the proliferation of Office formats, and the inability of Office to export in a standard format like PDF, makes it unrealistic to use any alternative. The obfuscation of Office formats also makes it unrealistic to attempt to develop alternatives, although the programmers of OpenOffice are doing their best. Palladium requires public key encryption, with the key stored on your computer and known only to whomever put it there, irretrievable to yourself. Therefore, developing an alternative to Palladium would be literally impossible. To gain compatibility you would therefore have no realistic alternative but to use Palladium.

Microsoft products come preinstalled on the vast majority of PCs and the vast majority of users accept the preconfigured defaults, so to gain compatibility with those users, either they would have to avoid using Palladium features or you would have to use Palladium. The design of the system makes it pretty obvious that the real reason for this is not to benefit the user but to profit from vendor lock-in. CSS anyone?

Decentralized

Palladium, contrary to some early rumors, does not limit itself to code signed by a centralized body like Microsoft. Instead, each application developer can set up its own key that will be used to authenticate versions of that application that are running on remote machines. In this way there are no limitations on access to Palladium technology. Every developer, from the largest to the smallest, can set up its own trusted applications without needing permission from Microsoft or anyone.

Compatible

The key technical enhancement of Palladium is that trusted apps can run side by side with legacy ones. The trusted apps run in the "curtained memory" of the system and are immune to being observed or altered by any other software. Trusted apps can then use hardware encryption to save data on the disk such that no other applications can decrypt it. This allows Palladium to retain full backwards compatibility with existing Windows applications. There is no need to reboot or limit the other software that the user runs, in order to use Palladium features.

Empowering

There are a number of uses for Palladium which will empower end users at the expense of centralized bureaucracies. Recently several researchers pointed out that Palladlium could increase the security of P2P file sharing networks, making it harder for copyright owners to inspect the data flowing through the network and attack it.

Instead, the copyright owners can apply for a court order to have the network shutdown completely, and Palladium makes this technically possible (this is not currently the case with most P2P systems). Furthermore, public sharing of illicit or copyright material will be no more secure under Palladium than is presently possible.

The present method by which illegal filesharers on P2P systems (in this case I'm using Gnutella as an example, but this works similarly on other systems) are caught and taken to court is as follows:

1) The IP holder or their representative connects to the P2P system and searches for filenames which are likely to contain infringing material. For example, the IP holder of "Motion" by Front 242 might search for "front 242 motion".

2) Upon receiving results, the IP holder starts a download of any infringing files and observes the IP address of the servent carrying the file.

3) The IP holder checks the downloaded file to ensure it contains infringing material, and, in the case that it does, traces the IP address of the servent to their ISP, requests the physical address of the servent and issues a lawsuit or cease and desist notice.

Possible guards against this include:

1) Restricting file listings and downloads to users that you know and trust. This is technically feasable today through public/private key encryption, and also will be feasable using Palladium technology. This has the effect of reducing the number of users on the network dramatically and thereby decreasing the number of files shared.

2) Renaming files so that they cannot be found by IP enforcers. This has the effect that genuine users cannot find the files, either.

Users who download files from P2P networks are currently less vulnerable than users who offer files for upload. However, it is possible for downloaders to be caught in the event that an IP enforcer or informer has access to a machine through which their network traffic travels between the server and client. This is easily protected against today using public key encryption, and again this will not change under Palladium.

Additionally, Palladium will offer one further step to the IP holder in the above description of how infringers are caught:

4) The IP holder uploads the infringing file to a central blacklist, as a result of which copies of the file found on any Palladium enabled machine will be deleted automatically the next time they connect to the Internet. This is the only net change that will occur to file sharing networks as a result of Palladium.

It is a falsehood that Palladium includes a central blacklist of files to be deleted. Please provide a reference for this claim. MKWilliams

Therefore, this example is bogus. Palladium will not offer any increased security to users sharing illegal files over P2P networks.

Lezek 01:58, 17 Nov 2003 (UTC)

See this article for a detailed proposal on how Palladium can support P2P file exchange systems. The authors show how Palladium technology "can be employed to better protect pirates and their peer-to-peer distribution networks from the entertainment industry."

Other possible applications include online games, where the use of cheating client software can be detected and eliminated, and auction systems, where "sniping" and similar antisocial behavior can be limited. MKWilliams

Open

Microsoft plans to release the Palladium micro-kernel, known as the Nexus or the Nub, in source code form. This will allow people to confirm that Palladium works as claimed, and use the "many eyes" principle to improve the security and reliability of the Palladium system.

This has no practical meaning, because in order to use the micro-kernel, it must be signed by a certifying authority. Therefore, the source code is useless to anybody who does not have the authority to sign it or the money to pay for someone else to do this. Since it's unlikely that Microsoft will allow anyone to sell modified versions of their micro-kernel (in order to cover their costs getting it signed), in practice nobody will be able to use the source code. Lezek

It is a falsehood that the Palladium micro-kernel or any other code must be signed by a certifying authority. Please provide a reference for this claim. MKWilliams

I'm no computer geek in any way, but I'm trying to understand all this Palladium stuff. So I would like to ask: if no "certifying authority" signs the code as trusted, who does it? The user? The one who wrote the code? Who can then guarantee that viruses are not given "trusted" status (voluntarily or not), and is able to cause havoc in all non-trusted programs? As I understand it, once trusted it is not possible to modify (delete?) the virus code in the protected area, so if infested, will it be possible to get rid of it?

And another thing (which maybe is not directly related): In commercials at swedish radio, it is claimed that the new 64bit processors (in particular the AMD's) are "safe" against all computer viruses (has a built in virus protection which should render antivirus software obsolete) - exactly how much truth lies in that claim? Thanks in advance, \Mikez 07:34, 9 Dec 2004 (UTC)

Rebuttals

Quick rebuttals to some of the anti-Palladium points above:

Not anticompetitive

Palladium is a decentralized system which allows each content developer to set up their own "sphere of influence" independent of the othes. Microsoft has indicated that access to Palladium technology will be freely available. This does not allow them to monopolize DRM technology, rather each developer can use Palladium to create their own DRM system and rules.

This is stupid, because the DRM technology created by other companies must still rely on underlying Microsoft technology, patented by Microsoft. Thererfore, Palladium is anticompetitive. Lezek

So what does Microsoft gain? Simple: they sell more versions of Windows if PCs are used more widely. Palladium will allow content companies to set up software systems that let them distribute movies, music, video, ebooks and other content across the net, while retaining control over copying and redistribution.

Not compulsory

There is no need to make Palladium compulsory in order for its benefits to be widespread and effective. Since the software will be built into the Longhorn operating system, with the hardware crypto chip being installed in the next generation of PCs, most users will automatically have access to this technology. Then, content companies need only require users to enable Palladium in order to get access to free trials and low cost downloads of high value content. Users will voluntarily utilize Palladium technology simply because doing so makes their computers so much more useful and valuable. There is no need whatsoever for mandates and compulsion.

This completely ignores the issue of the Consume But Don't Try Programming Act

The CBDTPA is an old proposal which failed. No replacement has been offered. Its principle author, Ernest Hollings, has announced his retirement. MKWilliams

I am concerned with the "so much more useful" - what business/non-advanced user won't see as this as a form of compulsary? Nobody, except those who actually oppose Palladium, will opt to have a "less useful" system. The inclination to be "compatible", as with the examples above of businesses opting for MS Office (despite the fact that any document can be saved in text, rich text or HTML before being sent to somebody else who might be using another system), is going to make many people feel they have something to lose by not opting in. I could easily see the emergence of a culture, similar to the current one, where ill-informed users/companies start just sending out documents without even realising that some people out there might not have a system setup that allows them to read these documents.

To summarise: "content companies need only require users to enable Palladium in order to get access to free trials and low cost downloads of high value content" has the word "require" in it.

Not untrustworthy

Contrary to claims, the security chip does not have control over your computer. Its functionality is limited to generating a key internally, then taking a hash of software as it loads into memory, and reporting that hash remotely, signed with its crypto key. It can also perform other crypto functions on request. This is about as far from "absolute control" as you can get!

This is stupid, becuase it demonstrates a misunderstanding of how the system works. No, the chip itself does not have control over your system, it's merely there to provide secret cryptographic functions necessary to make the Palladium system work. In order to use Palladium features, you have to grant external authorities certain controls over your machine. It is likely that in order to use future versions of Office, listen to legally downloaded music, watch movies, and possibly even connect to the Internet at all (although that is looking ahead somewhat), you will be required to enable Palladium features. Therefore, you are faced with a choice between giving an external authority absolute control over your computer, or having a useless computer that can effectively perform no useful function. Lezek

Whenever someone runs a program they didn't write, which happens probably 99.999% of the time, they are giving someone else (the program's author) control over their machine. Palladium doesn't change that.

Malicious features would not last very long in open source software - there are enough developers out there who would remove such features and you can use the corrected version. I would say that the author of an open source program would have comparatively little control over my machine (as it is possible for the entire community to see exactly what the program does) and I, using pretty much entirely open source, would therefore conclude that I give sole control of my machine to "someone else" nearly 0% of the time.

You claim to have a good understanding of Palladium. You claim that you must grant external authorities "certain controls". What are these controls, specifically? MKWilliams

---

The page is actually not too bad so far as its facts go, it is the tone of it that violates neutrality. I'll go through and read it over more carefully later on (if I remember) but my initial impression is that it just needs to be rephrased so that it is more encyclopediac in style. Tannin 00:59 May 12, 2003 (UTC)

---

Yeah, I'm going to flag this for an NPOV dispute. While I agree that this is an attempt by Microsoft to completely dominate the industry, the article spends too much time bashing the idea and not enough time talking about the positive aspects (if any). CHz 10/21/03, 2:47 PM PST

Umm, if you admit the possibility that there are no positive aspects, how do you propose that the article talk about them?

The above arguments in favour of Palladium are demonstrably farcical at best, and deserve to be shown as such within the example. There are a large number of competent computer scientists writing for wikipedia, and none of them have been able to come up with any sensible arguments in favour of Palladium. Why, therefore, do we flag it as NPOV dispute on the grounds that Microsoft assert that Palladium is good for all humanity? Do we flag Nazism as NPOV dispute on the grounds that Hitler asserted that it was good for Germany? I for one consider this article balanced. Lezek 02:14, 17 Nov 2003 (UTC)

Why not just add some of the positive arguments from this talk page? The article spends about four sentences talking about positive aspects, the two in the second paragraph and the first two sentences in the "Virus Cure?" section, and calling those sentences positive is somewhat reaching. The negative arguments, however, are strewn throughout the article and even have their own section.This talk page has many arguments that don't appear on the main page, even if they are suspect. Why not just add an "Arguments for Palladium" section? CHz 23:55, 17 Nov 2003 (UTC)

Because these arguments are not merely suspect but fully nonsensical. Unless the aim of Wikipedia is to produce as much nonsense as possible, which would come as news to me Lezek 00:52, 25 Dec 2003 (UTC)

1). Just because the arguments are "nonsensical" doesn't mean that they can't be included in the article: "Microsoft claims that...," "Microsoft believes that...," etc. The Nazism example that you provided gives the Nazi assertions, but it makes it clear that these are not facts but rather opinions and beliefs held by the Nazis.

2). There are several positive claims on this page that you don't rebut, such as the "Decentralized" section which states that all program developers can create trusted applications and the "Compatible" section which states that nontrusted applications will be able to be run alongside trusted applications.

3). You make two arguments that a person claims are false. This person asks you for the sources of your claims, but you haven't provided them. This person has remained anonymous, so these may just be spiteful lies, but it would be nice if you'd provide the references.

CHz 18:12, 30 Dec 2003 (UTC)

I've signed some of my comments above, now that I have an account here. I don't exactly see how that makes them less likely to be "spiteful lies", but perhaps the magic of a name will induce Lezek to provide the requested documentation for his points. MKWilliams 18:44, 10 Jan 2004 (UTC)

As you can probably guess from my failure to update for over a year, I lost interest in this issue a long time ago, since the idea certainly seems to have lost a lot of favour at Microsoft, and it's become clear that some of the worst fears are unfounded.

The two disputed claims are from other people's interpretations of functionality that would likely be provided or made possible by Palladium, and many of this interpretations have since proven unfounded or inaccurate, either because the specification of Palladium changed, or because they were wrong in the first instance.

I maintain that most of the arguments in favour of Palladium are either outright false (increased protection against viruses and worms), or apply equally well to measures that could be taken without the benefit of TCPA (signed applications from 'trusted' sources).

It is also dangerous because it provides all software manufacturers with a reliable mechanism to produce vendor lock-in. Given that it is already far too easy to create this situation, and that there is already severe vendor lock-in in many fields of computing, worsening it seems hardly beneficial.

I would happily accept TCPA hardware with the proposed 'user override' feature [1], but apart from the obvious cryptographic benefits of fast hardware random number generation, it would hardly be useful above what could already be achieved with existing hardware. - Lezek 13:37, 2 Mar 2005 (UTC)

I propose to remove the lengthy discussion under "Functionality of TCPA/NGSCB" on the main page which describes a mistaken understanding of how Palladium would work, involving only loading a signed OS, etc. Also I propose to remove the response to this under "Criticism" which is no longer relevant since that description was mistaken. I will leave the accurate Functionality description (the first part of that section) as it is correct. Any objections? MKWilliams 20:29, 4 Dec 2003 (UTC)

If that's not correct, then go ahead. CHz 04:50, 6 Dec 2003 (UTC)

Okay, I took out the old description, and left in only those entries in Criticism which made sense in the context of the accurate description. MKWilliams 18:33, 10 Jan 2004 (UTC)

Clearly there is a lot of difference in opinion over what exactly Palladium/TCPA/NGSCB (hereinafter abbreviated to PTN) will do, which seems to fit into two camps:

1. PTN requires a signed OS be booted, which will only run signed programs and connect to PTN websites only, and will stop the user copying protected content or opening it with anything other than a designated program. Microsoft will be the core authority for signing things, but may delegate to other companies to avoid any anticompetitive grief, though these would be beholden to Microsoft.
2. PTN can load a signed OS or not, but only a signed OS would be able to access protected content and connect to PTN-only websites. Also each program does not have to be signed, but can be. It can also use the cryptographic functions of PTN at will, though whether this required a program to be signed or not is unclear. Signing is done by anyone, as anyone can generate their own public/private key pair within whatever encryption scheme PTN uses.

Perhaps someone can provide a list of what PTN actually does, so that a) the article can be amended and b) this functionality can be examined and, if necessary, criticised.

Daveryan 14:22, 4 Jan 2004 (UTC)

Actually, neither of these is correct. See the main page for how it actually works. There is no signing of the OS or of programs. Rather, a crypto hash is taken of each software component as it loads into memory, via secure hardware. That hash can then be used to lock/unlock (encrypt) data or to securely validate the software configuration to a remote machine.

MKWilliams 18:29, 10 Jan 2004 (UTC)

As the article correctly states, the NG-SCB was previously known as Palladium - so shouldn't it be moved to Next Generation Secure Computing Base. It's a pain to type, but we can have any number of redirects. Given that I don't have time to read through the whole debate on this page and get involved in any other way, I won't just do it, but I thought I'd bring it up anyway. - IMSoP 15:40, 11 May 2004 (UTC)

I second that proposal. Edward Grefenstette 14:47, 9 Dec 2004 (UTC)

The link to this page was an NPOV dispute message. What exactly does discussing the pros and cons of NG-SCB (both of which are given equal prominence in the 'disputed' article) have to do with NPOV? About as much as Bill Gates has to do with selling strawberries! Removed the NPOV dispute autolink, replaced it with a 'see also' (since nobody seems to be disputing the neutrality anymore, but still talking about the subject itself).