Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
The Devil And The Deep Blue Sea
Jon Lasser, 2002-07-17

Why Microsoft's Palladium project threatens to send Linux and open-source into exile.

Comments Mode:
And the major security goals don't need hardware 2002-07-18
Nicholas Weaver (1 replies)
Assuming you trust the owner of the computer, the hardware offers effectively no additional security over just constructing the software right. The OS can enforce code signing and similar restrictions, it can construct the same sandboxes for untrusted code, and do everything else paladium claims to...

[ more ]  [ reply ]
And the major security goals don't need hardware 2002-07-19
Anonymous
I think ' An OS that trusts us' is a wrong way to put it.
I would say I want an OS where I am in complete control......

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-18
Anonymous (6 replies)
I am amazed that you would choose to write about something that you clearly know nothing about. But, given your recent articles, it seems to be a trend. TCPA hardware will NOT keep Linux from running any more than it will keep Win95 or Win2000 from running. If you don't call the features of the h...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-18
Anonymous
Check out this Register column here if you think that:http://www.theregister.co.uk/content/4/25891.html...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-19
Anonymous
> Saying that M$ would have to sign a Linux kernel for it to run is simply stupid, uneducated, FUD generating drivel. The problem is that some of your readers might actually belive you, and begin to make decisions based on your absurd conclusions.

GOOD! It's about time M$ took some of their own m...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-19
Anonymous (1 replies)
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

Read this!
So how long have you worked M$?...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-23
Anonymous
You say read this:

http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

I have read it. I have also read the TCPA specification. I have also read Seth Schoen's notes at

http://vitanuova.loyalty.org/2002-07-05.html

My conclusion from that reading is that Anderson needs to go back to the TCPA spec...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-19
Anonymous
I am glad to see such an informed and logical debate. Okay, while it is fine to disagree with someone based on the fact that they have no concrete information, I would like to point out a few things:

1) Of course nobody has any concrete information because Palladium hasn't been created yet. Duh! ...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-19
Anonymous
You are part M$ Marketing, aren't you?...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-22
Anonymous
I agree completely. This is total horsesh*t. ...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-18
Anonymous
From the article: a worm, especially for software as widely
implemented as Apache or OpenSSH, would be devastating: the results would be as dramatic as any
other security problem we've seen to date, and could be a lot worse, especially if the worm was designed
to destroy data.

...

[ more ]  [ reply ]
Unbelieveable 2002-07-18
Anonymous (5 replies)
Surely MS doesn't think that all PC manufacturers will stop making "open" pc's when / if Palladium comes to market.

And surely MS doesn't think that THEY will have the authority to decide what code will be allowed to run on every desktop that is made.

And surely nobody with a lick of securit...

[ more ]  [ reply ]
Unbelieveable 2002-07-19
Anonymous (2 replies)
M$ is hoping for legislation to force the issue, at least in the USA anyway....

[ more ]  [ reply ]
Unbelieveable 2002-07-20
Anonymous
Yes, legislation in the US would come in handy. This would make wonders for
European and Asian computer industry.
...

[ more ]  [ reply ]
Unbelieveable 2002-07-21
Anonymous
if he gets that much control, someone will remove him.. ...

[ more ]  [ reply ]
Unbelieveable 2002-07-19
Anonymous
I agree wholeheartedly.

I hear a lot of people complaining about the overhype of this and that it's hysteria. I think of Y2K when I hear stuff like this.

But I say - overhype your heads off. If it helps make the playing field of OS's better for the consumer (myself included), yip-EE. Bring ...

[ more ]  [ reply ]
Unbelieveable 2002-07-19
Martin Schoch
Our (small) company, for instance:
We use mostly Delphi, which could be easily ported
to Kylix, I guess, and in some cases MS-DOS, which could be replaced by Caldera's Open DOS.

It's unlikely we will ever pay Microsoft to certify our code....

[ more ]  [ reply ]
Unbelieveable 2002-07-20
Anonymous

>> Surely MS doesn't think that all PC manufacturers will stop making "open" pc's when / if Palladium comes to
>> market.
They won't care about that or if it can be turned off. They'll insure that to use web sites, communication won't
be established unless both have the hardware security turn...

[ more ]  [ reply ]
Unbelieveable 2002-07-20
Anonymous
Very well said. I completely agree. I personally am avoiding buying anymore of there products and I'm considering setting up my own pro Open-source/Linux,anti MS website. And I used to be Pro MS user!-keep it up Microsoft, keep making more enemies......

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-18
blacklight (1 replies)
I haven't checked what happened with OpenSSH, but so far as I know the Apache support people came up with a workaround within hours of the announcement of the "chunked" vulnerability and followed up with a working patch within a few days - Post-sales service is what differentiates a vendor you want ...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-23
Anonymous
Well said, Blacklight....

[ more ]  [ reply ]
Take a chill pill 2002-07-18
Anonymous Bastard (3 replies)
Microsoft already has the technical ability to force every computer in the world to run their software. They have had this ability for years. How? It's simple--force every processor company to build processors that work only with a Microsoft operating system. Or, force every motherboard company ...

[ more ]  [ reply ]
take your own advice 2002-07-19
rsullivan@art-line.com (1 replies)
Force every processor and motherboard to only be compliant to MS products? There a little problem that they were having with IE, and it was called a "monopoly". MS also has no control over chip makers. Intel could care less about what software is run on it's systems. Gateway put the sticker on i...

[ more ]  [ reply ]
Re: take your own advice 2002-07-19
Anonymous Bastard (2 replies)
Eh? I think we're in agreement, not disagreement! My main point was that Microsoft is constrained by business and legal factors. The monopoly problem you referred to is a legal constraint. And, as you said, "Intel could [sic] care less about what software is run on it's [sic] systems." In other...

[ more ]  [ reply ]
Re: take your own advice 2002-07-19
Anonymous (2 replies)
Of course, if MS actually got Intel to agree to an add on chip that only ran MS signed code for TCPA/Palladium, the anti-trust issues would be huge. Intel is pretty careful about anti-trust issues and I doubt they would go there. In the mid 90's Intel could have easily driven Cyrix and AMD out of bu...

[ more ]  [ reply ]
happy x86 processor world? riiiiight... 2002-07-19
Anonymous (1 replies)
You said:
In my experience people are resigned to using MS, not happy about it. Contrast that with the x86 processor world.

I correct you thus:
I am resigned to using x86 and am NOT happy about it. Over the years (the pentium-II -> 3 days in particular) I have purchased lots of x86 chips from I...

[ more ]  [ reply ]
happy x86 processor world? riiiiight... 2002-07-22
Anonymous
Mandrake 9.0: 64-bit, made to run with the new processors from AMD (or was it Intel? I can't remember)

Screw 64-bit Windows, I can get a 64-bit Linux in a year or less....

[ more ]  [ reply ]
Re: take your own advice 2002-07-21
Anonymous
They already have got Intel to agree to develop it. And AMD....

[ more ]  [ reply ]
Re: take your own advice 2002-07-19
Anonymous
It does. Your last post sounded like you thought MS could actually pull that stunt off. I do think that the public will buy this "feature", making it the standard as they did Microsoft to begin with....

[ more ]  [ reply ]
Re: Take a chill pill 2002-07-19
Jm4n
I have to agree with most of your points. I also wanted to add that, from what I've read so far, this will be a completely optional component. The user can enable/disable this "feature" at will (much like the PIII processor serial number). I believe the user can choose the what signing authorities t...

[ more ]  [ reply ]
Take a chill pill 2002-07-21
Anonymous
It's a step in the wrong direction and you can not deny it.

Open your eyes and see that Microsoft has a habbit of being sneaky and agressive. Of course they wouldn't just call those guys up and demand that they stop supporting Linux. They take it one tiny step at a time. Slowly covering the wool ...

[ more ]  [ reply ]
And they expect JIT Java and .NET compilers to operate? 2002-07-19
Anonymous
There are lots of applications that use dynamically compiled executable code. Many graphics libraries, for instance. Not only that, a significant chunk of PCs are built to run the user's in-house code. 90% of all software written is NOT shrink-wrap, being developed internally to the user-company....

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-19
Anonymous (1 replies)
Lasser, once again you prove yourself to be a massive tool.

Within weeks of Micorosft's ".NET" initiative hitting the shelves (ie: release), the Linux/OSS version will be released. What makes you think that Palladium will be any different? There will be plug-ins the world will go on. OSS has noth...

[ more ]  [ reply ]
OSS version of Palladium 2002-07-20
Abri
Palladium not about code that can be copied by an OSS version. Palladium is an idea to stop the creation of "unauthorized" programs to run. The whole idea of Palladium is for ONE body to have central control over digital signing of binaries. All hardware only listens to codes from that one body. Tha...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-19
Anonymous
so then how will visual c++ and other compilers generate executables? ...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-19
SkyLeach
There is only one way digitally signed hardware layers can work: encryption. So if something is encrypted, you must have the key to decrypt it. If they key is encrypted by the signer, and the signer must verify authenticity before they will provide they key, then the end user us completely subject...

[ more ]  [ reply ]
Palladium and buffer overflows 2002-07-19
Anonymous (6 replies)
I may be completely stupid here, but don't buffer overflows modify the application as it resides in memory? Everything I've seen on Palladium (which, admittedly, is little) seems
to indicate that it prevents unsigned or altered code from being launched, checking the executable's signature on startu...

[ more ]  [ reply ]
Palladium and buffer overflows 2002-07-19
Anonymous
Yeah, that's what I was thinking. Buffer overflows attacks cause arbitrary code to be executed *in the context of the now-crashed application*. And, in a Windows systems, what apps don't run with high privilege? I don't see how Palladium can defend against that. What it can defend against is som...

[ more ]  [ reply ]
Palladium and buffer overflows 2002-07-19
Anonymous
A buffer overflow is a runtime event.

Here's an example: The developer has only allocated 32 bytes for a buffer. The attacker manages to stuff 64 bytes into it. Those 64 bytes are copied into the storage space allocated for the buffer. The "extra" 32 bytes don't just disappear: they get placed in...

[ more ]  [ reply ]
Palladium and buffer overflows 2002-07-20
bufferoverwhelmed
Microsoft is addressing the question of, "why can't an operating system protect itself and other users from buggy code?" Their answer seems to be using hardware to cover for their bad operating system coding. How about a followup with some meat instead of more FUD?

So far no one has stated how ...

[ more ]  [ reply ]
Palladium and buffer overflows 2002-07-20
Anonymous
Palladium is supposed to sign each segment of program memory at application/OS load time, and will check the signature of each segment before the code within that segment is executed....

[ more ]  [ reply ]
Palladium and buffer overflows 2002-07-21
Anonymous
I have to agree. Unless Pallidium is checking each branch to make sure it's to "signed" code, it won't make a difference.

( and no, that still wouldn't stop everyhing )

So Palladium is useless against buffer overflows, the biggest security problem

Palladium could be slightly effective again...

[ more ]  [ reply ]
Palladium would NOT stop buffer overflows... 2002-07-21
Nicholas Weaver
Palladium's code signing has no effect on buffer overflows.

The only restriction which it might impose which would have an effect on buffer overflows is basically "No executable stack AND heap", which could both be done using the current VM system and breaks JITs of all stripe.
...

[ more ]  [ reply ]
Pride goeth before a Fall 2002-07-19
Anonymous
As Bruce Schneiner of Counterpane like to point out, crytography and security are hard to get right. Microsoft has a long history of takeing three released versions to get software right, and that only means getting the bug level town to tolerable levels. And Intel has been known to botch the impl...

[ more ]  [ reply ]
Couldn't _anyone_ make a "signature stamp"? 2002-07-19
Mad Ivan
Question - couldn't `trusted´ OSS individuals or organizations create their own keys and sign software? For example, if RedHat signed their kernels and binary distributions, or the Debian organization's key members published keys they created, open-source groups could trust them. For individua...

[ more ]  [ reply ]
No evidence for these claims 2002-07-19
Tamperbell (2 replies)
There is no evidence for claims such as Palladium systems not letting Linux or other OS's run, or allowing only signed software to load. In fact the technical information which has come out so far indicates just the opposite.

http://www.neowin.net/comments.php?id=5530 is a Palladium white paper ...

[ more ]  [ reply ]
No evidence for these claims 2002-07-22
Anonymous
What is the point of making a system that restricts undesirable software from running if you choose not to use it I wonder? I have heard a lot of "Well we could do that, but we won't" from the M$ camp on this issue, but it seems to me that no one invests in something they don't plan to use.

More...

[ more ]  [ reply ]
No evidence for these claims 2002-07-23
Anonymous
Then what would be the point of Palladium in the first place? How would it protect a system if it still allowed unsigned code to run? Granted I do need to investigate further, but everything that has been spouted in every news source I read (quite a few actually) has said that Palladium will prevent...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-19
Anonymous
no, buffer overflows do not modify excecutable code. A buffer overflow is what happens when a chunk of allocated memory devoted to storing transient data (i.e.: keystrokes, filesystem caches) before it can be processed "overflows" it's allocated space and "spills over" either into other data, or ex...

[ more ]  [ reply ]
MSFT won't fix Outlook so we must lock hardware? won't work 2002-07-20
Anonymous
Microsoft (and/or vendors who aren't required not to flip a bit) could ship Outlook defaulted not to run scripts or run attachments, but they refuse to do so. This would be a nearly trivial change.

Instead they propose some platform that won't fix anything.

What happens if you DO have a buffe...

[ more ]  [ reply ]
Alternate hardware 2002-07-20
Anonymous
I secretly hope they do succeed in this. I write this from Sun hardware. A Blade 100, which is $995 from Sun. If there is a demand, the hardware will continue to exist.

Have you ever been to docs.sun.com? It's quite the site. Everything is documented. Everything is open. One can hardly fin...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-20
Anonymous
Ok, I'm not sure if this is supposed to create hysteria, but in my eyes it failed. I clearly doubt the validity of this article. On a side note, I realize that Microsoft is the peoples "enemy" but, come on people give it up. If there wasnt a company like MS out there where would we be? With such a s...

[ more ]  [ reply ]
THE DEVIL AND THE DEEP BLUE SEE 2002-07-20
NSS ( Network Ssecurity Systems)

WHAT'S GOING TO HAPPEN WITH SECURITY SOFTWARE AND HARDWARE DEVELOPERS?

PALLADIUM IS JUST IS A SHORTCUT FOR A COMPLETE MONOPOLY !!!!
...

[ more ]  [ reply ]
It's all about trust 2002-07-20
Anonymous
This is what I see

Microsoft, the entertainment industry (RIAA, Hollywood
movie companies) and hardware manufacturers appear to be working together on this.

I trust microsoft in the following ways
They will buy out and incorporate competing software (embrace and extend) or kill off competi...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-21
Anonymous
If the worst happens you could presumably run Linux on Macintosh hardware, I'm assuming this would be a last resort for most considering the cost of the hardware....

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-22
Anonymous
Just one more scheme by MS to be the one and only.... How long will it take before someone wakes up and sees that MS wants it all and does not want to play nice with others. So far, even the federal government has be incapable of protecting us from MS goal of world domination.

In fact, the g...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-22
Anonymous (1 replies)
I don't think there is too much to worry about. Japan is presently setting up a large group of people to develop Linux as is most of that part of the world. If MS go too far it will find that they can't sell to the east who don't want to know about a technology like this and that the west starts to ...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-23
Anonymous
better watch congress and the senate then. It could easily become illegal to import such hardware....

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-22
Anonymous
If people have half a brain they would be boycotting Intel and M$ entirely. This technology is evil. Consumers have no need for this technology, and should be made aware of it's implications. It does nothing to enhance the consumer platform but I see it as a rather massive form of DoS on the consume...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-23
Anonymous (1 replies)
If anyone knows of ways to get this to the mainstream media or at least ways to spread the word I want to do anything I can to help. ...

[ more ]  [ reply ]
The Devil And The Deep Blue Sea 2002-07-23
Anonymous
Hey, sure thing. I'll contact the major venues now. Does the New York Times and Wall Street Journal sound good? It will go something like this:

"Anonymous is pissed off about Palladium, and says he wants to help however he can. You should contact him. Oh, but Anonymous seems to support Palla...

[ more ]  [ reply ]
I will never buy it and anyone who is smart won't either. 2002-07-23
Anonymous (1 replies)
Refuse to buy the crappy, handicapped hardware that
is 'Palladium' and watch it get flushed down the toilet.

Anyone who has even 1/4 of a brain should avoid this like the plague and fight any attempts for it to be legislated in.

...

[ more ]  [ reply ]
I will never buy it and anyone who is smart won't either. 2002-07-25
Anonymous
Then you'll have to stay behind the times in the case of hardware. Since Intel and AMD are both involved, later generations of their chips may only be available with a motherboard that has Palladium on it.

Basically, (when it comes out) "You want the hot new 200GHz Pentium IX you gotta get a moth...

[ more ]  [ reply ]
And even money can be forged.... why not code? 2002-07-25
José Azevedo
Greetings,

The way i see it is quite simple.
Everybody is fussing about TCPA and Palladium, believing with the bottom of their hearts that it will solve every problem that bad code or a bad code language can bring to us.

The thing is, signed code can go an extra mile, but it is still way too ...

[ more ]  [ reply ]
Copyright and Anti-piracy laws 2002-07-29
Anonymous

http://www.wired.com/news/politics/0,1283,51274,00.html

Anyone keeping up with this? I thought the court ruled code was a form of speech sometime ago. Wouldn't these copyright laws affect our constitutional rights? If I get the gist of what these laws propose to do, it will be enforcing that I ...

[ more ]  [ reply ]
It is time for "security enhanced linux" to be put on the front burner NOW! 2002-07-29
100% of distros should be 100% SE Linux
See and understand: http://www.nsa.gov/selinux/

"End systems must be able to enforce the separation of information based on confidentiality and integrity requirements to provide system security. Operating system security mechanisms are the foundation for ensuring such separation. Unfortunately, ...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus