Can we trust Microsoft’s Palladium?

Critics say Redmond's new security initiative will imprison users. But why would Bill Gates want to do that?

Topics: Microsoft, Copyright, Intellectual Property,

Can we trust Microsoft's Palladium?

Bruce Perens, a programmer, an author and a pioneer of the open-source software movement, has this axiom to describe the tech industry: “Nobody takes a new technology seriously until Microsoft does it.”

Perens is not a fan of Microsoft, and he does not offer this observation as praise. Instead, what Perens means is this: Nothing can get you contemplating the full and various horrors that might be enabled by some simple and even dull-sounding technology — “Web services,” say — quite like an announcement that Redmond is looking into it. It’s especially rattling, Perens continues, when Microsoft says it’s doing something unusually “big” or “ambitious,” and when it frames its plans in terms of security and privacy.

Perens’ observation held true in June, when Microsoft announced that it plans to use public-key cryptography and special cryptographic microprocessors to make the Windows operating system more secure. The initiative, called Palladium, after the mythological statue that defended ancient Athens against invaders, sits on a set of technologies that have long been in use. Neither public-key cryptography, which is decades old, nor the idea of using special hardware to bolster cryptography is new.

But it was only when Microsoft unveiled Palladium and disclosed that both Intel and AMD were willing to build hardware to support the plan that people became seriously worried about the idea of ubiquitous, cryptographically enabled and, in this case, monopolistically abetted “trusted computing.”

Many longtime critics of Microsoft have been quick to dismiss the idea as smoke and mirrors, mere public relations. It’s too complicated to ever actually work, some say, and it’s just an attempt to convince people that Microsoft is sincere about wanting to make computers “safer.” It’s also easy to see Palladium as no more than a gesture made to appease Hollywood and the recording industry, which have long been clamoring for such systems.

But what if it’s not all puffery? What if Microsoft does manage to build a foolproof Palladium and deploy it to 100 million users? Those questions elicit the really troubling scenarios. “If Microsoft has its way, there just won’t be any open-source software,” says Perens, referring to the thriving ecology of software development in which users freely share code and constantly modify each other’s applications. Perens is convinced that Palladium will let Microsoft decide which applications can run on a machine and which are simply too unsafe for public consumption — such as programs written by open-source hackers. Perens even thinks that’s the point of Palladium: “It’s designed to kill off open-source development.”

Open-source hackers aren’t the only ones who are worried. Palladium could also significantly strengthen digital rights management (DRM) — the ability of media companies to manage the content you play on your machine. At least in concept, critics say, Palladium could prevent the unauthorized copying of media of any kind, not only shutting off the MP3 file-sharing free-for-all but also interfering with the rights of consumers to make personal copies of music or movies that they purchased legitimately.

Could Palladium function as a kind of technological straitjacket, a Redmond-operated remote control over your data and, in consequence, your life? According to those who’ve looked closely at the proposal, the answer is a definite, unhelpful “maybe.” But the better question is this: Why would Microsoft want to build such a restrictive system?

“It would be a very expensive proposition just to satisfy Hollywood,” says David Farber, the chief technologist of the Federal Communications Commission. Microsoft itself says that Palladium is not meant as a vehicle for DRM — that it will play anything users want it to play, whether that’s an MP3 grabbed from KaZaA or an illegally copied “Simpsons” episode. More to the point, if Microsoft did come up with a restrictive hardware and software solution that clamped down on user freedom, people would just find a way to work around it, say some observers. Either folks will break the system, which is not inconceivable, or they’ll use another system. And from what we know about Bill Gates, this much is clear: The thing that keeps him up at night is the thought of people using other systems.

Microsoft is going out of its way to tell users that Palladium won’t stop them from doing what they like on the Internet and that, scout’s honor, everything the system does will be to the good. According to Peter Biddle, a Microsoft product manager, Palladium is nothing more than an elegant solution to the vexing problem of keeping people secure on the Internet, a goal that Gates has set as one of the company’s main objectives.

The strongest part of Palladium will be its ability to determine whether a given software application should run on a machine. The system will be shipped with these functions turned off, but “we actually think it’s likely that users will say, ‘I’m only going to run code that’s been signed,’” Biddle says. By “signed,” Biddle means that the application has been cryptographically tagged by a “signing authority.” The Palladium system would run the code only if the user has approved that specific authority.

Theoretically, this would make computing much safer. If you set your machine to run code that’s been signed, then the many errant applications — viruses, spyware, adware and the like — that float into your machine without your express knowledge would find no shelter on your desktop. “For years we’ve dealt with computer systems that were basically not secure at all,” the FCC’s Farber says. “This could be a step in the right direction.”

Farber is no Microsoft stooge. He testified against the company during its antitrust trial, telling the court that Internet Explorer was not actually an integral part of the operating system, as Microsoft had claimed. But he appreciates that Microsoft is taking the initiative in security, because businesses and, to a lesser extent, home users are afraid that computer systems don’t keep their data safe, and because the situation is becoming worse.

Farber concedes, though, that whether or not one thinks of Palladium’s architecture as a boon to security “depends on what you believe Microsoft’s long-term aims are. If you believe it’s to stimulate commerce and stimulate security, it’s a step in the right direction.” But if you’re more “neurotic” than that, Farber says, and if you’re perhaps given to suspicions that Microsoft always makes decisions with the aim of frustrating competitors of the Windows empire rather than for the good of consumers, you might have a different view of the same architecture.

“Until we see it, until we actually look at the code, until we go through the whole process and see how the whole system will work, we won’t know what it’s like,” Farber says. “If they do it all right, it might work — but it can be misused.”

A key question about Palladium’s process is this: Who will be authorized to sign code? Microsoft says that it will have no say in that process. There will be multiple code-signing authorities, and they will be “self-vetted,” Biddle says. “They go into business saying, We’re here to sign this code.” Microsoft would make no claim about the safety of that code, Biddle says, and the code signers would not be compelled to do so either. A cryptographic sign, then, would essentially work like a Good Housekeeping seal of approval, and you could decide whether to trust the code based on what you think of the signer. In theory, an organization like the hacker/cracker publication 2600 could sign code, Biddle says, as could open-source companies and free software advocates or whoever else people trust.

“We actively encourage and are pursuing a strategy that says the hardware runs everything it runs today,” Biddle says, implying that Palladium is not designed specifically to prevent certain kinds of software from being used.

But Perens and others note that the final authority to give signing status to a certain group or individual — or to revoke signing status — would necessarily lie in a central location, presumably with Microsoft. Could Microsoft abuse that status? Would the company charge to license its keys, or give preferential treatment to some companies? And even if Microsoft plays fair with the keys, Perens says, and if it’s just as easy for scrappy developers to sign their code as it is for corporations, the whole system would still be impractical for open-source developers.

By definition, the code in an open-source application is not set in stone. The whole point of the General Public License, the license under which Linux-based operating systems are offered, is to allow people to modify code ad infinitum. But under Palladium, an application that has been modified loses its signature. Each new version of an application, therefore, would presumably need a signature before it could run on a system.

Perens says that “what is new here is that the customer’s PC is getting hardware with the specific purpose of constraining the customer. Never before has a customer received a speed governor on his car — and this is worse than a speed governor. It’s like saying, ‘You may never drive into this part of town.’”

It’s worth pausing to think about Perens’ example for just a second. Surely some lawyer somewhere has suggested to one of the Big Three automakers that adding speed governors to its fleet could save the company a penny or two in legal costs. So why don’t we have speed governors in our Fords? Right — because you wouldn’t buy a car that’s constrained by a speed governor, just as you wouldn’t want to buy a CD that doesn’t play in your DiscMan, or pay for a music subscription service that doesn’t allow you to permanently record its music.

Brian Behlendorf, the co-founder of the open-source Apache Web Server Project, calls Palladium “subtractive” for just that reason. “It feels very much like a genie is out of the bottle on this,” he says. “Let’s say they ultimately get this fierce line of control around this. It could make people look at hardware alternatives, because it’s a subtractive value to end users. Look at the interest in region-free DVD players, or mod chips for the Xbox.”

In other words, people will look for other options if Microsoft gets too restrictive. And that’s the last thing Microsoft wants.

Microsoft argues that Palladium can always be switched off by users who think it’s bad news. If Palladium becomes ubiquitous, critics respond, that may not be an option.

“If you turn it off, then you are an island,” says Perens. “You can’t communicate with others. Everyone will be using this DRM, and you can’t view Web pages.”

Just about everyone who commented on Palladium feared the possibility of being compelled to use the system because someday it will be the only platform that will play content. “That’s the core of the Palladium thing,” says Miguel de Icaza, founder of the open-source software company Ximian. “What they want is to have the media companies feel safe.”

The media companies, de Icaza’s argument goes, would design their CDs, DVDs, e-books, Web pages and all their other content to show up only on a Palladium system. Media that’s been tampered with — a ripped CD track converted to an MP3 — would lack a cryptographic watermark, and Palladium would therefore refuse to open it.

Media companies yearn for such safety. Earlier this year, they got Sen. Ernest “Fritz” Hollings, the South Carolina Democrat who chairs the Senate Commerce Committee, to introduce a bill that could provide them with some measure of legislative safety. Hollings’ bill, the Consumer Broadband and Digital Television Promotion Act (CBDTPA), would require virtually all electronic devices, from CD players to PCs, to include copy-protection mechanisms. And now, say critics of Palladium, Microsoft is offering a computer system designed to satisfy the Hollings bill, a system that has at its heart what Ross Anderson, a Cambridge computer scientist, calls the “Fritz chip.”

Microsoft denies that Palladium is a Trojan horse that will allow it to slip DRM into computer systems. “Turning Palladium on is not the same as turning DRM on,” says Biddle. “This will allow you to do a much better job of protecting your privacy. So from an end-user benefit perspective, that’s what we’re focusing on. We’re not focusing on creating a DRM infrastructure”

He acknowledges that Palladium will strengthen DRM, and it’s conceivable, he says, that you may need to turn on DRM to play some content. But “that’s up to the seller of the DVD, and it’s also our belief that any content worth stealing is going to wind up on KaZaA or whatever, and we can’t stop that. DRM and Palladium don’t do anything to prevent people from downloading movies off the Web. We can’t tell the difference between a home movie and a DVD. To Palladium, they are the same. There are some people who believe that with watermarking you could tell the difference, but we aren’t believers that watermarks are robust enough to do that, so we’re going to play it all.” Even your cherished collection of stolen MP3s, Biddle says, would work without any problems on Palladium.

Biddle’s comments are noteworthy, as they appear to run contrary to overall Microsoft policy. The company offers its own DRM programming suites, and it has always publicly supported Hollywood. Through the Business Software Alliance, it has also fiercely protected its own intellectual property.

It’s also hard to tell whether Biddle really means it when he says that Palladium won’t be able to stop media theft — but he’s right. As proved by Ed Felten, the Princeton computer science professor who cracked SDMI, the recording industry’s ballyhooed DRM technology, watermarking doesn’t ensure media security. Invariably, one whiz-kid hacker or Ivy League coder will find a way to get around such a system, and short of throwing people in jail (not out of the question), DRM will break. Microsoft, perhaps, is wise to this.

Biddle’s arguments about DRM are also somewhat muddied by the fact that late last year Microsoft was quietly granted a patent for just what he says it’s not building: “The Digital Rights Management Operating System,” protected by U.S. patent numbers 6,330,670 and 6,327,652.

“In a very real sense, the legitimate user of a computer can be an adversary of the data or content provider,” one of the patents says. “‘Digital rights management’ is therefore fast becoming a central requirement if online commerce is to continue its rapid growth … If measures are not taken, traditional content providers may be put out of business by widespread theft, or, more likely, will refuse altogether to deliver content online.”

Chris Hoofnagle, of the Electronic Privacy Information Center, says that such a system would harm, not secure, your online privacy. “Many of the DRM systems rely on personal information, and it basically ties a person to a piece of content,” he says. “The Palladium system and many of the services offered are going to depend on your identity — but Microsoft has been very clever in presenting this as a system that can make you safer on the Internet.”

Microsoft, for its part, says that it’s very sensitive to claims that Palladium will be bad for privacy, and it has been offering to work with privacy groups to make sure it gets the system right. The Electronic Frontier Foundation, an online-rights advocacy group, has been briefed on Palladium and it says it’s studying the system and will soon offer an opinion.

What the EFF and the rest of the industry probably want to know is whether Palladium, in the end, will be good for regular people. For all its faults, Microsoft is not known for kicking its customers in the teeth. If Palladium stops viruses, doesn’t constrain your machine, and doesn’t invade privacy — above all, if people are allowed to control Palladium, rather than vice versa — would the system be so bad?

Featured Slide Shows

  • Share on Twitter
  • Share on Facebook
  • 1 of 7
  • Close
  • Fullscreen
  • Thumbnails
    AP/Jae C. Hong

    Your summer in extreme weather

    California drought

    Since May, California has faced a historic drought, resulting in the loss of 63 trillion gallons of water. 95.4 percent of the state is now experiencing "severe" drought conditions, which is only a marginal improvement from 97.5 percent last week.

    A recent study published in the journal Science found that the Earth has actually risen about 0.16 inches in the past 18 months because of the extreme loss of groundwater. The drought is particularly devastating for California's enormous agriculture industry and will cost the state $2.2 billion this year, cutting over 17,000 jobs in the process.


    Meteorologists blame the drought on a large zone (almost 4 miles high and 2,000 miles long) of high pressure in the atmosphere off the West Coast which blocks Pacific winter storms from reaching land. High pressure zones come and go, but this one has been stationary since December 2012.

    Darin Epperly

    Your summer in extreme weather

    Great Plains tornadoes

    From June 16-18 this year, the Midwest was slammed by a series of four tornadoes, all ranking as category EF4--meaning the winds reached up to 200 miles per hour. An unlucky town called Pilger in Nebraska was hit especially hard, suffering through twin tornadoes, an extreme event that may only occur every few decades. The two that swept through the town killed two people, injured 16 and demolished as many as 50 homes.   

    "It was terribly wide," local resident Marianne Pesotta said to CNN affiliate KETV-TV. "I drove east [to escape]. I could see how bad it was. I had to get out of there."   

    But atmospheric scientist Jeff Weber cautions against connecting these events with climate change. "This is not a climate signal," he said in an interview with NBC News. "This is a meteorological signal."

    AP/Detroit News, David Coates

    Your summer in extreme weather

    Michigan flooding

    On Aug. 11, Detroit's wettest day in 89 years -- with rainfall at 4.57 inches -- resulted in the flooding of at least five major freeways, leading to three deaths, more than 1,000 cars being abandoned on the road and thousands of ruined basements. Gov. Rick Snyder declared it a disaster. It took officials two full days to clear the roads. Weeks later, FEMA is finally set to begin assessing damage.   

    Heavy rainfall events are becoming more and more common, and some scientists have attributed the trend to climate change, since the atmosphere can hold more moisture at higher temperatures. Mashable's Andrew Freedman wrote on the increasing incidence of this type of weather: "This means that storms, from localized thunderstorms to massive hurricanes, have more energy to work with, and are able to wring out greater amounts of rain or snow in heavy bursts. In general, more precipitation is now coming in shorter, heavier bursts compared to a few decades ago, and this is putting strain on urban infrastructure such as sewer systems that are unable to handle such sudden influxes of water."

    AP/The Fresno Bee, Eric Paul Zamora

    Your summer in extreme weather

    Yosemite wildfires

    An extreme wildfire burning near Yosemite National Park forced authorities to evacuate 13,000 nearby residents, while the Madera County sheriff declared a local emergency. The summer has been marked by several wildfires due to California's extreme drought, which causes vegetation to become perfect kindling.   

    Surprisingly, however, firefighters have done an admirable job containing the blazes. According to the L.A. Times, firefighters with the state's Department of Forestry and Fire Protection have fought over 4,000 fires so far in 2014 -- an increase of over 500 fires from the same time in 2013.

    Reuters/Eugene Tanner

    Your summer in extreme weather

    Hawaii hurricanes

    Hurricane Iselle was set to be the first hurricane to make landfall in Hawaii in 22 years. It was downgraded to a tropical storm and didn't end up being nearly as disastrous as it could have been, but it still managed to essentially shut down the entire state for a day, as businesses and residents hunkered down in preparation, with many boarding up their windows to guard against strong gusts. The storm resulted in downed trees, 21,000 people out of power and a number of damaged homes.

    Debbie Arita, a local from the Big Island described her experience: "We could hear the wind howling through the doors. The light poles in the parking lot were bobbing up and down with all the wind and rain."


    Your summer in extreme weather

    Florida red tide

    A major red tide bloom can reach more than 100 miles along the coast and around 30 miles offshore. Although you can't really see it in the above photo, the effects are devastating for wildlife. This summer, Florida was hit by an enormous, lingering red tide, also known as a harmful algae bloom (HAB), which occurs when algae grow out of control. HABs are toxic to fish, crabs, octopuses and other sea creatures, and this one resulted in the death of thousands of fish. When the HAB gets close enough to shore, it can also have an effect on air quality, making it harder for people to breathe.   

    The HAB is currently closest to land near Pinellas County in the Gulf of Mexico, where it is 5-10 miles offshore.

  • Recent Slide Shows



Comment Preview

Your name will appear as username ( settings | log out )

You may use these HTML tags and attributes: <a href=""> <b> <em> <strong> <i> <blockquote>