Palladium's Power To Deny 568
BrianWCarver writes "The Chronicle of Higher Education has the most detailed article I've yet seen on Microsoft's Palladium architecture. The article discusses the potential Palladium has to give publishers power to eliminate fair use and the potential for software manufacturers to use Palladium to enforce shrink-wrap licenses. Comments from several great sources including, Ed Felten (Freedom to Tinker), Eben Moglen (pro-bono counsel for the Free Software Foundation and recent Slashdot interviewee), and Seth Schoen (Electronic Frontier Foundation) among many others. Key quotations from article: Palladium could create 'a closed system, in which each piece of knowledge in the world is identified with a particular owner, and that owner has a right to resist its copying, modification, and redistribution. In such a scenario the very concept of fair use has been lost.' 'Palladium will "turn the clock back" to the days before online information was widely available.' and 'Microsoft could decide to lock everything up.'"
Excuse me, but (Score:5, Informative)
The server seems slow... full text here (Score:3, Informative)
http://chronicle.com/free/v49/i24/24a02701.htm
Control Issues Microsoft's plan to improve computer security could set off fight over use of online materials
By FLORENCE OLSEN
Computing experts in academe often blame Microsoft for producing software that is vulnerable to viruses and hackers. But, of late, the experts have been criticizing the company's sweeping plan to correct those very deficiencies.
Under the plan, announced seven months ago under the name Palladium, new computers would be equipped with security hardware and a new version of the Windows operating system.
The goal, Microsoft officials say, is to make servers and desktop PC's that people can trust. But critics say the technology, which Microsoft recently renamed "the next-generation secure computing base," could stifle the free flow of information that has come to characterize the Internet, and could give Microsoft too much control over colleges' own computerized information.
With the new technology, information-systems officials could use cryptographic hardware "keys" rather than software controls, like user names and passwords, to lock up student records and prevent illegal copying of materials. Registrars would have tamper-proof controls over who could see, copy, or alter the records. The advances could be used to prevent identity thieves from invading campus computer networks to steal Social Security numbers, grades, and other personal data.
Money and Access
Palladium would require colleges to make expenditures on new computers and software. Existing computers could not be retrofitted.
Colleges would decide whether to buy Palladium-capable software and hardware, and then whether to activate Palladium's security functions. But practically speaking, they would face enormous pressures to do so, especially if publishers of books, journals, software, and other electronic "content" were to adopt Microsoft's standard to deliver their materials online. The publishers could dictate that colleges had to use Palladium or else be denied access to the material. That worries many in academe, who believe that publishers would use Palladium to bar some uses of digital materials to which scholars argue that they are entitled under copyright law. That loss may outweigh the advantages of tighter security over student records, the critics say.
"If Palladium is adopted, and if other technology vendors exploit it fully to restrict access to copyrighted works, education and research will suffer," says Edward W. Felten, an associate professor of computer science at Princeton University, who was the U.S. Justice Department's chief computer-science expert in its antitrust case against Microsoft.
Microsoft officials respond that their new technology will simply give all users --whether colleges or publishers --more control over the information they own. Colleges have been demanding more computer security, says Brian LaMacchia, a software architect in Microsoft's trusted-platform-technologies group, which is responsible for Palladium. "It's a two-edged sword," he says, acknowledging that commercial publishers have demanded greater protection for their copyrighted works.
Palladium's software components will be part of the next major version of Windows, which Microsoft has said it may release toward the end of 2004. Some hardware components that Palladium needs, including a security chip, are available already in a notebook computer, the IBM ThinkPad T30. Chip manufacturers and the major computer companies --Dell, Gateway, Hew-lett-Packard, and IBM, among others --have begun work to redesign PC's so that they will work with Palladium software.
A key component of Microsoft's new technology is the "nexus," a minisystem that runs in a sealed-off area in the computer's memory, where private transactions can be conducted, and where designated security and copyright policies would be enforced. In theory, the nexus is immune to many of the problems that plague Windows machines, like viruses.
Moving away from password-protected security and toward security that is built into the hardware would make campus networks less vulnerable to hacker attacks, Microsoft officials and academic experts agree. "Once you move to hardware security, then you're talking about deterring 98 to 99 percent of all hackers," says David C. Rice, a security consultant who is an adjunct faculty member in the graduate program in information security at James Madison University.
Here's how Palladium works: If a program --with its nexus --were running on a server in, say, a college registrar's office, the server would ask any computer that tried to gain access to student records on the server to certify what program it was running. The server would block access to the records if the computer were running an insecure program. Such questioning of another computer is not part of most security mechanisms in use today. As a result, college computer systems are repeatedly victimized by hacker attacks.
Mr. LaMacchia says that Palladium also would permit personal data and other files to be kept secret on the computer's hard drive in an area where the data would be unreadable by any program other than the one on the computer that created them.
"It's definitely going to solve a lot of security problems, but it's like any kind of new technology," says William A. Arbaugh, an assistant professor of computer science at the University of Maryland at College Park. "It can do good or evil."
Fair Use
Whether it is used for "good" or "evil," he says, will depend on who gets to control the technology --colleges or the publishers whose "content" the colleges use.
Most of the early controversy surrounding Palladium in academe has concerned its impact on "fair use," a gray area in copyright law that gives professors and researchers limited but free use of copyrighted materials. In the past, faculty members could decide on their own that "fair use" permitted them to distribute a journal article to, say, 10 students. But publishers could use Palladium's controls to unilaterally limit use of their materials, such as by restricting professors to a read-only view of the article, from which they could not "cut and paste" the text.
With Palladium, owners of content would gain at the expense of consumers of content, including professors and students, says Eben Moglen, a professor of law and legal history at Columbia University. In fact, if Palladium were to become a widely accepted way of protecting copyrighted material, Mr. Moglen says, it would create "a closed system, in which each piece of knowledge in the world is identified with a particular owner, and that owner has a right to resist its copying, modification, and redistribution."
In such a scenario, he says, "the very concept of fair use has been lost."
Ross Anderson, who holds a faculty post as a reader in security engineering at the University of Cambridge's Computer Laboratory, says Palladium will "turn the clock back" to the days before online information was widely available.
The biggest losers, he says, will be "small colleges, poor schools, universities in Africa, hospitals in India --the people who have benefited hugely from the availability of vast amounts of information that was simply unavailable to them before."
Publishers generally support the type of copyright-enforcement mechanisms that would be in Palladium systems, although "there would be some concerns about bugs in those systems," says Ed McCoyd, director of digital policy for the Association of American Publishers. For example, he says, even now, while publishers complain about the inflexibility of technical controls in electronic-book readers, they do not want to share those controls with users.
"They certainly want to have sufficient flexibility in the publisher settings --one publisher might choose to enable printing, one might not," Mr. McCoyd says. But with the new technology, he predicts, publishers will insist on controlling the software settings for what they "consider to be fair use."
Some experts argue that computer and network security are so weak today that the benefits of Palladium outweigh any risks that Microsoft, or content providers, would abuse the new controls.
"Microsoft could decide to lock everything up," says David J. Farber, a professor of telecommunications systems and of business and public policy at the University of Pennsylvania. "But there is nothing a priori that says they'll be all bad boys."
Indeed, Microsoft says it is listening to its critics. It has been talking with academic researchers about the new technology far earlier than usual in Microsoft's product-development process. "Part of the reason has been to hear the feedback --positive and negative --from the academic community, analysts, influentials, and others," says Amy Carroll, group manager of Microsoft's trusted-platform-technologies group.
Palladium's software architects have given several guest lectures at universities in the United States and Britain, in part, Ms. Carroll says, to listen to academic concerns "and, hopefully, assuage them."
Many of the concerns are a result of misunderstanding what the new technology will do and how it will work, Ms. Carroll says. Microsoft plans to publish the source code for its nexus, she says, so that "people can view the code and see that it will do what we say it will do," and see that it will not give the company control over colleges' computerized information.
Even Palladium's critics see good uses for the technology, like maintaining the privacy of student records. Colleges may want to have Palladium activated on some servers to keep them from running "pirated software, MP3's, or anything that is illegal," says Mr. Rice, the security consultant.
More Worries
But Palladium is worrisome to college officials for reasons other than an erosion in the fair use of copyrighted materials. Jeffrey I. Schiller, a network manager at the Massachusetts Institute of Technology, says software companies most likely would use the program to enforce license agreements that many in academe believe are legally unenforceable. For example, more and more software licenses forbid users from running tests known as benchmarks to measure the performance of one company's software against that of its competitors.
Some critics, like Mr. Schiller, say Palladium might achieve the results intended by the Uniform Computer Information Transactions Act, a model law devised by the National Conference of Commissioners on Uniform State Laws, which has been enacted only in Maryland and Virginia. Ucita is "an attempt to give these software licenses the force of a signed contract, even though you didn't sign a contract," Mr. Schiller says. With Palladium, technology would "enforce" the licenses de facto, he says.
Microsoft insists that its new technology is a neutral platform. "It is certainly possible that an application vendor could choose to use [Palladium] to evaluate and enforce some software licensing terms," acknowledges Ms. Carroll. But "at the end of the day," she says, "the terms of the license for an application are strictly an issue between the vendor and the university."
Others think Palladium would be an anti-competitive tool in the hands of software publishers, especially Microsoft, which, in 1999, was found guilty by a federal-district court of monopolistic practices. With Palladium, software publishers could decide to create programs that refuse to work with rival programs, a tactic that is difficult for them to get away with now, says Seth Schoen, a staff technologist at the Electronic Frontier Foundation, a group that promotes civil liberties in cyberspace.
Critics of Palladium frequently cite a hypothetical situation in which a company makes a word-processing program that requires Palladium to run and that encrypts all of the documents that it creates. "Any other Palladium user who is also using that same word processor will be able to decrypt and view the documents," Mr. Schoen says, "but nobody without access to Palladium or who uses a different word processor would be able to derive the necessary decryption keys."
Microsoft faces an uphill battle to win acceptance for Palladium in academe. College students, many of whom are used to playing illegal copies of music and videos on their personal computers, may be resistant.
"They're not going to consciously go out and buy a product that necessarily limits their ability to do what they want to do," says Mr. Rice, the security consultant. "They'll definitely buy a product if it means security for them. I don't know if they're going to buy a product if it means security for somebody else."
The Business Software Alliance, a trade group representing software companies, declined to comment on Palladium, citing a policy of not talking about its members' products. But Robert M. Kruger, vice president for enforcement, says the group is beginning to tilt more toward technology to enforce copyrights.
In dealing with software and other copyright piracy on campuses, colleges "aren't sending the message as aggressively as we would like," he says.
Will MIT, whose researchers have studied Palladium, want to run it? Maybe not, says Mr. Schiller, the university's network manager. "Personally, I would never use this technology," he says. As for MIT, though, it's an open question, he says. "Palladium has to become more real for us to really decide if we can use it."
"If I had my druthers, I'd love the technology to be available and used for all the good things we could use it for," Mr. Schiller says. "But I'm enough of a realist to know that's not how it's going to play out."
WHAT PALLADIUM WILL AND WON'T DO
Microsoft's Palladium project is designed to make Windows computers more secure. But computer experts are concerned that the technologies being used to make computers more secure will block the free flow of information needed for teaching and research.
Palladium will:
- Run programs that could prevent illegal copying of or unauthorized access to information stored in PC's.
- Permit owners of digital information, whether copyright holders or registrars responsible for student records, to set tamper-proof controls on who can see, copy, and alter digital files.
- Prevent unauthorized access, via a computer network or the Internet, to Social Security numbers, credit-card information, and other personal data stored in PC's.
Palladium will not:Yet another reason to join the movement at.... (Score:2, Informative)
Lawrence Lessig's Take (Score:5, Informative)
He says the picture of a world where one needs a license to read is discomforting.
Current laws represents a choice made by our democratic processes, and with copyright as code it's not clear how the same balance can be struck. The problem with regulation (And Law) through code is that there is no place for such a collective choice. If one kind of "trusted systems" software protects rights of fair use, a competing version will promise more control to the owner. This makes fair use a bug, not a feature.
Palladium != TCPA (Score:5, Informative)
Palladium would likely make use of this hardware to take care of the crypto aspects of DRM, but it is a part of Windows. If you don't buy Windows, you have nothing to worry about. Microsoft would have to manage to replace every DVD player, computer and MP3 capable device in the world to make DRM mandatory. Palladium may not be great for consumer's rights, but it is also not forced upon anyone. We still have a choice. Run some form of *nix on your current hardware, or buy a Mac. This shall pass.
My 0.10 shekels
Re:Who's locking what up? (Score:3, Informative)
Changing it yourself is a violation of the DMCA, even though you're the copyright holder because the DMCA protects that bit not your copyright.
Bullshit. It is illegal to circumvent a technological method for protecting access to a copyrighted work. Since you own the work in question, and the bit is not copyrighted, you may abuse the encryption any way you like.
Re:Who's locking what up? (Score:5, Informative)
Funny how every drastic social backlash seems to be preceded with a golden-age of middle-men. Just ask yourself when the last time you actually hearn an honest to god content creator speak his or her mind
Read up on some copyright history and you'll see we played this game about 100 years ago when piano roll technology hit the market and the UK saw rampant 'piracy' in the US. Find out why publishers are consistantly mistaken for content creators over and over in the latter stages of each cycle in the history of copyright law.
Re:Correction (Score:1, Informative)
Users can't be trusted so they are trying to solve the problem by locking down our computers so they (content producers) can be trusted.
Re:=[ sad (Score:1, Informative)
No moreso than marriage, alimony, or employment contracts.
Despite what Ghandi said, everyone has a right to recieve something for their labor. If I come over and setup your computer when you ask, I may be able to take you to court for wages--which I couldn't get if i didn't have the right to those wages.
It (the right to copy) is specifically impinged as a societal bargain (a real honest to God social contract) that creators push along the arts and sciences faster than normal and in exchange get to have a limited monopoly for limited times.
It's not a "limited monopoly" in the constitution. It's a legal securing of a right for a limited time.
When you look at such things as Palladium, you have to ask, is this going to advance or retard the progress of the arts and sciences? I think it will retard it so I'm against it.
How? I mean that, honestly and truly, HOW can Palladium retard the progress of arts and sciences?
Knee-jerk reactions aside, I have heard nothing more malicious about Palladium than "it will let a program write data that only that program can read or write." How, exactly, does that retard the progress of arts and sciences?
I end up losing rights without promised access to new and wonderful goodies. That's no bargain so we either remake the deal or call it off. If the RIAA/MPAA piss off enough people, the latter will be what gets passed.
Unless Palladium becomes mandated--which, if you recall, MS is fighting against--the copyright bargain will remain unchanged no matter what is done.
Once you have a copyright, you can use it however the heck you want, to gain wide distribution or to keep your invention private for yourself. Using a digital system that enforces your (admiditly draconian) agreement for use is hardly an abridgement of the copyright agreement.
Arts and Sciences got along just fine for centuries without perfect digital copies, and I haven't seen file sharing advance any great art or science, myself.
Bullshit everwhere... (Score:3, Informative)
Computing experts in academe often blame Microsoft for producing software that is vulnerable to viruses and hackers.
But, of late, the experts have been criticizing the company's sweeping plan to correct those very deficiencies.
How is Palladium a plan to thwart viruses and hackers? Right in the bottom of the very same article they say that Palladium will not eliminate software viruses. And I suspect that it will eliminate few hackers too, since the weakest link is the people, not computers.
Can someone explain to me any real, additional potential benefits of Palladium? We have encryption and security for protecting sensitive data already... I bet most of student records leak from the paper copy accessed by some unscrupulous employee rather than through smart hackers.
The problem... (Score:3, Informative)
Re:Excuse me, but (Score:5, Informative)
Kierthos
Re:not pirating movies never killed anyone (Score:2, Informative)
The Toxic Effects of Fluoride [wholywater.com]
Re:One-step process (Score:1, Informative)
I can do the same thing by installing some GNU utilities or cgywin in Windows. Is it unix now?
No.
Re:Excuse me, but (Score:5, Informative)
That was cypherpunk "Lucky Green", who said he submitted a patent application on ways to use Palladium for software copy protection. This was after Microsoft publicly told him that not only did they have no plans to do that, they couldn't even think of a way to use the technology for that purpose. Lucky said that he could think of lots of ways, so he'd go ahead and patent them. You can read more about Lucky's plans here [mail-archive.com].
I haven't heard anything about this lately, and a recent patent office search for applications under Lucky's real name (widely known, his initials are MB) didn't turn up any hits. So I don't know if he actually went through with it or not.
Re:Excuse me, but (Score:5, Informative)
Clearly you've never defended yourself in court against a
deep-pockets plaintiff. Perhaps you should refrain from
commenting unless you know what you're talking about.
Someone with money to burn can bury you and the court under
a blizzard of motions, subpoenas, and depositions, to most of
which you will need to respond. Copying and filing fees
alone in such a case can amount to many thousands of dollars.
Then there's the small matter of your own time.
A plaintiff with money to burn can tie you up in court
appearances and depositions for months on end.
Will your employer understand if you only show up for
work one or two days a week for six months?
See if you can find the answers to these questions
by Googling about
What has been the effect on the personal finances of
Keith Henson (L5 Society founder, among other things)
of exercising his free speech rights to criticize the
Church of Scientology ?
How did this effect come about ?
Who was Scamizdat (hint: it wasn't Grady Ward) ?
How many judisial motions did the Church of Scientology file
against Grady Ward in an effort to prove that he was Scamizdat ?
What impact did this have on Ward's finances ?
Who is Larry Wollersheim ?
How much was he awarded in his lawsuit(s) against the
Church of Scientology? (appealed all the way to the
Supreme Court; denied cert)
When did Scientology exhaust the appeals process ?
How much has Scientology actually paid to date ?
How many lawsuits, cross-complaints, and legal actions has
Wollersheim endured in his search for justice ?
OS X IS UNIX® Unix and *Nix (Score:3, Informative)
The Open Group -- the official holders of the Unix trademark -- classifies UNIX as such:
"UNIX - the worldwide Single UNIX Specification integrating X/Open Company's XPG4 and additional standards. The majority of commercial vendors have registered UNIX products, with most at the UNIX 95 level and newer products registering for UNIX 98."
Obtaining an official UNIX title is merely achieved when key functionality is added, thus allowing the OS to meet the requirements of the UNIX brand. In this context, Windows NT could obtain UNIX status. Believe it or not.
Either way, your argument is moot. The open group has already clasified Apple as an official suporter Supporter of the "Single UNIX Specification".
See for yourself [unix-systems.org]
Re:Remember ActiveX, DVD, and Java (Score:3, Informative)
This is misleading.
- The CSS cipher key is 40-bits.
- Whoever designed the CSS cipher wanted it to be cheap in hardware and didn't put much effort at all into its design. There is a simple guess-and-check algorithm that breaks it with a work factor of 2 ** 16.
Based on some simulations I ran with RC6, my PII 266 would break RC6 with a 40-bit key in just under a year on average (unoptimized C). The CSS cipher is much faster and is based on LFSRs, which can be bitsliced very efficiently using MMX instructions (I can try 128 keys simultaneously). Even without the weak cipher design, my lowly dinosaur of a machine could probably recover all of the player keys in under 2 months. (Very pessemistic estimate.)A work factor of 2 ** 16 means that even my slow machine can figure out the disk key in under a minute.
26! is more than 2 ** 88, but that doesn't make your secret decoder ring strong crypto. More or less they used the equivelent of a secret decoder ring to encrypt the data. Ross Andersen's attack on the A4 cellphone cipher should have been known to the designers of CSS, yet they went ahead with a cipher that is more easily vulnerable to the same sort of guess-and-check attack. (None of the advanced Russian sparse matrix inversion techniques are required to make it practical.)
Re:Palladium != TCPA (Score:3, Informative)
I've read a good chunk of the TCPA spec. I understand what it is and how it works. The central TCPA design specification is that the owner of the machine MUST be denied access to his own encryption keys. The ONLY purpose of this requirement is to take control away from the owner of the machine. It is designed to enforce DRM and enforce Microsoft's monopoly.
There isn't a single claimed benefit of TCPA or Palladium that you couldn't get with an identical system that lets the owner read his encryption keys based on a physical switch to control access to the keys. Unless of course you think losing ownership of your computer is a "benefit".
a special chip to handle encryption duties
Yeah, a side effect is that you can use the chip as a crypography coprocessor. If that's what it was for you could have a BETTER, CHEAPER, FASTER, and HARMLESS crypography coprocessor instead.
Code signing and crypto coprocessors have NOTHING to do with denying an owner of the machine access to his own keys. TCPA and Palladium are a Bad Thing. Period. Drop the requirement to deny the owner access to his own keys and it would be a Good Thing, but then it wouldn't be TCPA/Palladium anymore.
-