|
|||||||||||||||||||||
|
|||||||||||||||||||||
 |
|||||||||
 |
 |
||||||||
|
|||||||||
 Rosetta Stone
What If Palladium Doesn't Work? By Robert X. Cringely In the couple weeks since Microsoft's Palladium security and digital rights management initiative was revealed, a hundred other writers and I have explored nearly every aspect of the plan except one: What if it doesn't work? This is Microsoft, after all, a company that typically takes three tries to get almost anything right, yet here we've all been reacting to Palladium as though it will actually run the way they say it will and do the things they say it will do. Probably not. The Palladium story, of course, is a grand one, but then Microsoft has always been good at painting a picture. Remember Windows 1, MS Net, MSX, LAN Manager, Windows for Pen Computing, Windows CE 1.0? Remember Bob? They were all junk, either virtually unusable or -- in the case of Bob -- usable but useless. Why should Palladium be any different? The very problems that it purports to solve are problems that existed because Microsoft allowed them to exist. And now we expect these same people to introduce a whole new security architecture and for that architecture to work in its first iteration? Yeah, right. Palladium seems like a whole lot of effort just to protect us from viruses and spam and to keep us from stealing movies and software, but you have to remember that this kind of big hardware (not software) initiative is core to Microsoft's business model. It is easy to forget that it is Microsoft, not HP or Dell or even Intel, that sets the spec for what PCs will look like a year or two down the road. They took this job away from IBM, so now the whole point isn't to be IBM-compatible or even Intel-compatible, but Windows-compatible, for which AMD is mightily grateful. But this design function is a matter of "use it or lose it." Microsoft has to keep evolving the PC spec so that hardware companies will have new stuff to build, and we'll be stuck with new stuff to buy. Forget that we're all still doing the same word processing, spreadsheet, database, web browser, e-mail -- we need a new computer! This is how Microsoft can impose such a hardware standard as Palladium. Have we heard any makers of Windows PCs saying they don't think they'll bother to build any Palladium PCs? Of course not! They have no choice. And since they want us to buy new computers, Palladium is probably in their interest. But is it in OUR interest? That depends on who we are. For all the insidious reasons that I've covered already from a couple different angles in previous columns, Palladium is clearly in Microsoft's interest, in the interest of shrink-wrapped software companies, in the interest of hardware makers and movie studios, but is it in our interest as users, customers, consumers? I don't think so. What does Palladium do for us, really? Normal users have little to gain from Digital Rights Management. We're the bad guys in that game, remember? Why would any of us feel the need to protect the copyrights of software, music, or video on our computers? Unless we're Stevie Wonder, it makes no sense. That aspect of Palladium is entirely for the benefit of other folks, not us. We just pay for it. But Palladium will protect us from viruses and spam. Now THERE'S a reason to buy a whole new PC! If Microsoft had limited Outlook to text e-mail, we wouldn't have a problem with mail viruses. They created this problem. Frankly, having HTML in my e-mail isn't worth anything to me, nothing at all. And Palladium's certificate-based anti-spam capability will be compromised in its first hour on the market, either by users who suddenly realize there are instances where they actually want to hear from people they don't know, or by Microsoft, itself, with some conflicting e-commerce initiative. Everything, you see, is about revenue, so anti-spam becomes a technique not for protecting consumers but for turning spammers into paying advertisers. Just watch it happen. I'm old and I know what I am talking about. But Palladium will protect our systems from intrusion and will keep our private information private, right? I don't think so. I wondered how a hacker -- a really experienced hacker who probably ought to be doing some serious jail time -- would react to Palladium? His is the community that Palladium is supposed to disenfranchise, yet so far we haven't heard from the black hats. All we've heard is guys like me writing "what if" stories. So I went to my friendly neighborhood super-hacker, and here's what he said (forgive the hackerspeak): Think the information given does not make sense since there are too many ways to subvert (e.g. the SCP -- you do not use PKI to encrypt, you use it to pass symmetric keys). Since the plain and crypto text *must* co-exist, subversion is trivial for a professional (and once the design is available, trivial for the kiddies). Suspect the key is here: "Microsoft believes that, if it did not support DRM at all, it would be at a competitive disadvantage." This does not mean that it must be effective, just that the perception must be that is more expensive to subvert (would suggest using a logic analyzer) than to use. Is really about copyright protection, not privacy.If I understand correctly what my friend has written above, the Palladium architecture presents a wily hacker with what is essentially a Rosetta Stone -- two versions of the same data (one encrypted, one not) from which one can quickly divine the key needed to transform one to the other. The original Rosetta Stone from Egypt carried the same message in hieroglyphs, demotic, and Greek, making it finally possible to translate Egyptian hieroglyphics, which mainly turned out to be beer ads and "WWF Smackdown" promotions. If true, this is just the sort of fatal flaw we tend to see in many Microsoft 1.0 versions. If it isn't true, there is likely to be another blunder just as big that someone else will discover as history repeats itself. What I am beginning to expect, however, is that Microsoft will pull back from Palladium, minimizing its importance, just as they did with most of the blunders I listed in the third paragraph, above. What will make them do this, however, is likely to be more than just bad code. Palladium, which is designed by an American company for an American market and in keeping with a wacko American copyright law, won't sit well with the Europeans, which represent the third largest IT market on Earth. Microsoft will eventually realize that it can no longer impose standards on Europe because there is a risk that the whole continent will embrace Open Source or some clever local architecture as an alternative. Even mighty Microsoft can't afford that. |
 Home | The Pulpit | I Like It | Baloney | Old Hat | Tell Me When | Pass It On | Bob's World |
