• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Thoughts on Palladium - Microsoft's push for tighter computer security

P

pm

Elite Member Mobile Devices
I was thinking about the problem of spam email the other day while riding my bicycle home from work. I have a pretty long trip so I had plenty of time to contemplate the problem. The problem is that anyone can sent as much email as they like, there is no definite way to identify the sender, and there is no perfect way to separate legitimate mail from spam. On the filtering side, SpamAssassin (SA) is about the highpoint in my mind of intelligent filtering systems but even with SA I still have some legitimate mail filed as spam and some spam makes it through to my legitimate email inbox. So that's the last method out of the question, the first method is part of the network - there is no easy to way to charge per email. About the only thing that I thought of during my long bike ride home is that the only way to get rid of spam altogether is to be able to secure the system much better than it currently is. Set up trusted hosts, and trusted users, and make sure that you can track people online. Once you can easily identify the culprits, you can punish them and this will set an example to future spammers. But the bottom line was that the only thing that I could think of to solve the problem involved a much higher level of security and a much lower level of anonomity than users currently share on the internet.

Most users may disagree with my assessment. In fact, I'd probably be reduced to a small pile of charcoal by the flamethrowers on Slashdot.org for suggesting this there. But one interesting point that I discovered today is that Microsoft seems to have come to the same conclusion that I did independently.

Details of Palladium - Microsoft's new encompassing security endeavor - were released yesterday and have been gradually making the rounds on the Internet. The original article on the subject by Newsweek's Stephen Levy was posted on MSNBC yesterday and it's here. It's worth reading this version, although it sounds like a Microsoft press release, because this one tends to be slightly more objective than the other articles that I have read on line who proclaim that this is MS's attempt to eliminate Linux. I'm not sure if I agree with this assessment, but regardless it's also interesting to read the opposing view.

What do other people think about MS's latest proposal to integrate hardware and software to reduce the problems of spam, viruses and the cost of decreased online anonymity?

The engineers at Intel that I eat lunch with tended to grudgingly admit that this solution could solve many of the online computing issues today if it is completely pervasive. But no one was very happy with the thought of decreased privacy online.

Edit: Fixed the link. Thanks, Shadow.
 
sorry, this reply isn't really highly technical... but relinked

I just recently read an article at Ars Technica referencing the same issue... There's a paper written about the alliance among Compaq, IBM, HP, Intel, and Microsoft.

IMHO, Palladium may be beneficial to many people. Sure, secure seems better, right? To most casual users, most likely. I'm a little disappointed with the fact that Hotmail's spam filtering is rather ineffective (or maybe it's just in my case). And the possibility that UNIX will be eliminated from the market - well, I'm still lamenting the fact that BeOS is gone... (heh, sorry, childish reminiscing).

Unfortunately, most people desire a high level of anonymity on the Internet... And people take advantage of that for unscrupulous means, too. Higher security is always great but will it ever be foolproof? Higher security is usually in the defensive - I don't mean to be pessimistic, but when has higher security been totally effective?

Just some thoughts. Enlighten me.
 
Frankly, I trust anonymity over mandatory corporate tracking to ensure my privacy on the net.

And I suspect this is more about digital rights management ("Sorry, you've exhausted your initial plays of this CD. Would you like to purchase more?"), and furthering Microsoft's stranglehold on the market then it is about security.
 
Another thought on your e-mail example...
What makes you think that Palladium can stop spam?
It seems that spam is stoppable now if there was the will to do it by ISP and the organizations that own the bandwidth.

Spam senders have to get a connection & bandwidth from somewhere. And if you're close enough to the source, I suspect it would be easy to spot the offenders. So, why aren't they shut down?

Because they pay their bills.

If Palladium is in place, they will still pay their bills, and somebody will sell them the certificates they need to be seen as a "trusted sender". Unless of course Microsoft sets itself up as the final arbiter of who is trusted ... shudder. "Now all resteraunts are Taco Bell."
 
I personally dislike the thought of decreasing anonymity over the Net. And I personally dislike the fact that Microsoft is trying to get more of a foothold in my life.

Joking aside - yes, there is only so much privacy on the Internet - but what little we have, of course we appreciate. At least, for me. It does seem that Microsoft is just trying to monopolize more aspects of the market - not just by shutting out the *nixes. Spam reduction is desireable - but the means by which such reduction is implemented matter too.

I wonder how much longer I can keep using Win98SE. 🙂
 
Frankly, I trust anonymity over mandatory corporate tracking to ensure my privacy on the net.
Click to expand...
I agree - I would prefer the headaches of anonymity. Regarding spam: I threw together a program on my linux box to solve it:
if an email doesn't contain a password, it gets bounced with a message informing the sender of the password. You can also add email addys that get delivered regardless of whether or not they contain the password. Now, you might think sending the password back would defeat the purpose, BUT 99% of the spam I get is from forged senders anyway. The rest of them probably would disregard the bounce (give it an "ERROR" subject or something), and only a few could get through.

Another potential system would be networks of people who "vouch" for each other. Then you could assign levels of trust for your friends, their "friends", etc. If someone spams, they AND their friends would get "punished".

IIRC, another part of Palladium is the inability to run unsigned/trusted apps. That is unacceptable to me. I will run what I want, whether it is malicious or not - I tend to be a fairly good judge 😉. AND... what happens when this "secure" system is cracked? The more people trust it when that happens, the worse it will be.
 
One thing I have learnt about the internet is that people will resist any system whereby you need Person C's permission to talk to Person B. The internet grew up out of informity and trying to homogonize it will fail IMHO.
 
But what if the primary internet backbone routers were configured to only transmit - or more realistically - give preference to packets operating between trusted clients and trusted servers? The internet is already heading towards this with layer 3 switches and the (conspiracy) theory is that eventually the internet will be a tiered service, with highest service levels going to those who pay for it (references for this available on request. 🙂 ). But if some form of authentication were tied into the main routers, there would be little that could be done. Non backbone routers could be used (universities, etc) but then the overall quality of the network from a user's perspective would degrade.

For clarification, I'm not in favor of any of this. To some extent, I'm trying to scope out my ideas on the way that the internet could be heading in the future. I see spam and security as a fundamental problem with the internet that will grow worse with time - most people would probably agree with this statement. The question is how will this problem be addressed. I see Microsoft's solution and I've seen the hardware vendor's solution. And I've wondered how I would address it if I were the engineer put in charge of fixing problems like these.
 
http://22. But isn't PC security a good thing?
The question is: security for whom? The average user might prefer not to have to worry about viruses, but TCPA won't fix that: viruses exploit the way software applications (such as Microsoft Office) use scripting. He might be worried about privacy, but TCPA won't fix that; almost all privacy violations result from the abuse of authorised access, often obtained by coercing consent. If anything, by entrenching and expanding monopolies, TCPA will increase the incentives to price discriminate and thus to harvest personal data for profiling.

The most charitable view of TCPA is put forward by a Microsoft researcher: there are some applications in which you want to constrain the user's actions. For example, you want to stop people fiddling with the odometer on a car before they sell it. Similarly, if you want to do DRM on a PC then you need to treat the user as the enemy.

Seen in these terms, TCPA and Palladium do not so much provide security for the user, but for the PC vendor, the software supplier, and the content industry. They do not add value for the user. Rather, they destroy it, by constraining what you can do with your PC - in order to enable application and service vendors to extract more money from you.
 
What do other people think about MS's latest proposal to integrate hardware and software to reduce the problems of spam, viruses and the cost of decreased online anonymity?
Click to expand...

As far as I have seem, the more M$ integrate its softwares (and /or hardware in the future) the less secured it becomes. Sometimes just having MSN messenger, not using it can still cause critical security flaws due to no other than the tighter integrations.
 
As usual n0cmonkey is right on the point....

They want total control.... they want to know when you see what page, when you send mail to whom, when you buy
what stuff from whom...basically when, where and what are you doing...

It started with .NET, Passport now they putting Palladium... next you'll get the DRM PC for which Microsoft already has
patents...

In the end you'll get a Microsoft only monopoly over the whole Computer(IT) industry....

Heck, you won't even be able to get one of those wonderfull programming languages of the Net and make a program
with it, because even if the language is certified to run, you programs will surely not be..and the price for that certification
will be so high that it will cancel any chances that normal working people have of getting them.....

Say goodbye to OpenSource, Linux, BSD, shareware(it didn't work anyway) freeware....and welcome to pay to use
computer....

Hope that the EU, get's an enlighment in time and forbids this here... at least they're already pushing for open source
so this is obviously against it!
 
Hmm. Ok. Well, it looked good on paper.

Thanks for explaining the downsides in detail, everyone.
 
It might be good, but it has to come from a broader base... and it has to be based on
open standards anyone can use. The IP protocol itself is a good example of an open standard
that works.

I mean heck I wouldn't trust Microsoft to handle my email or my internet connections, now they
want to handle all my private information?? No way......

I would trust an independent instituion (non profitable) with regular outside audits, and even that
would require a lot of trust...

I think there are better ways to address all the issues that Palladium wants to address!
 
I think there are better ways to address all the issues that Palladium wants to address!
Click to expand...
For the sake of discussion. Which better ways? Not to put you on the spot, Thornc, but what would you (or anyone else who wants to respond) do to stop viruses, crackers/hackers and spam?
 
Not to put you on the spot, Thornc
Click to expand...
No problems, you got me rolling....

spam
In this case ergeorge has the point, spam has to come from somewhere.
Get the spammers isp and demand action, one person might not be able to do it but a group will
conplain to your isp, make noise, make them obbey the law!

crackers/hackers
Well I don't think Hackers as I understand the word have to be stopped!
But the general idea to solve this is better security, better design... and this also applies to
viruses! Once I read an article about some programmer that had a software tool he sold online, and
how he managed to make money from it even offering a demoware version. He's design prevented
crackers from getting to it... he didn't say how, but lets face it most software these days are just
purely designed! They're rushed out the programmers before even being finished that's why we
have so many patchs. For instance n0cmonkey is very fond of OpenBSD, and these BSD OS has
a very track record of security... because unlike others they close the doors by default!

virus
This is a very old issue, and I doubt any Palladium or anything will stop it! It might stop the email
viruses but even that I don't know. Today's email scripts (...that nasty VBS stuff) just use the too
many holes in Microsoft Outlook's...why the hell those anyone allow an email program to execute
stuff...why does it have to render html or anything... the other virus stuff of today is just plain
lazy admins not doing their work!

The best thing about any software I've seen is those jokes called EULAs!! "You can pay me to use my
software, if you use it and don't pay me I'll come after you. And if you use it and it doesn't work like
it should or if you loose important stuff while using it that's nothing to do with me"..... if the company
where really liable (that's the work isn't it) for what they sell many things would be different!

What we need is to have our governements start doing what they are supposed to do regulate
and control! The next step would be to start educating people, consumers and producers...
"You pay me fair money for this, and I will make sure that it will work as it is supposed to"


 
Originally posted by: pm
Hmm. Ok. Well, it looked good on paper.

Thanks for explaining the downsides in detail, everyone.
Click to expand...

Just a little note - MS revealed security holes in WINDOWS MEDIA PLAYER today. Do you really want to trust a company that writes hackable song / video players??? Personally, I dont want my media software on the net at all...
 
Stopping crackers: 🙂

Helping against crackers and viruses: 🙂

The #1 tool to use against both of these threats? No, not OpenBSD 😉, education.

thornc, I didnt write that, just copied it from someone else. Thanks to /. for providing me with zealous information 😛
 
What is the US government's position on this, I hope they will keep user privacy a top priority. And now that I think about it, hopefully they will not use it as an excuse in their war against terrorism, even though I am in full support of it. Just don't touch the internet or put any restrictions for the net, leave it as it is.
 
I think spam is a huge problem for the internet in general, but for me personally it is almost a non-issue. I get a maximum of 5 spam emails per month to my personal email account. Any spam that I do not wish to receive, I unsubscribe from their list and usually don't have problems with it.

<rant>Most of the people that have trouble with a lot of spam either sign-up for it inadvertently or use a free email service like hotmail where they sell your email address for profit. I don't understand why people would sign-up for a free email account only to bitch about getting 50 spam emails per day. To all these people I ask... What did you expect? Do people really expect to get no spam when they sign-up for a free account? How do you think these places stay in business? Because I guarantee that it is not free to provide all those servers and bandwidth. </end rant>

Anyway, the most effective way to filter email is to only allow email from certain addresses whichis what the "trusted" thing sounds like. There is really no reason to have this though because it is already possible to do this type of filtering. Seems like they are trying to address and fix a problem that already has many solutions available. Also, I think hotmail and other free email providers should add a feature to track down where these emails are coming from and make it easier for normal people to send the spam to the network provider. They could do a reverse DNS lookup on the domain name and then trace it to a server. Once you find the originating server then its just a matter of finding whoever owns it to contact them. If many people sent complaints to the ISPs then I think they would quickly shut the site down. One of the major problems for ISPs is that they often don't know that people are using their services for spam.

As Palladium stands right now, it sounds like a whole lot of ideals and very unrealistic. They are trying to make it the be all and end all of security which I think is a very difficult if not impossible feat to pull off. I will definitely be keeping an eye on this venture to see what actually becomes of it.
 
Ben50, as far as I know, Symatec has a free online utility that will trace an IP address to where it originated in the world. Here is the link: Here
 
A fundamental fact of computing: given enough time, anything can be cracked. That's just the way computing works... patterns of bits.

So my vision of security/privacy works somewhat like www.cloudmark.com's... they have a spam filter that relies on distributed spam identification. Once one person in the network gets a piece of spam, they mark it as spam, then their spam identification software determines if it's actually spam. If it is, the people who the spammer also sent the message to receive the message in their spam folder. it's pretty sweet.

So the idea would be to use a distributed app that people would use to identify scam websites, websites that don't use https, sites that distribute virii in their software, sites that distribute spyware, etc. It could even be integrated with a browser to completely prevent access to that site if you were willing to believe in the "collective." 😛
 
The main problem with MS'es view on security is that they see the user as the ONLY untrustworthy source of input. Beginners can program visual basic applications that have more control over the system than the user can get. I don't really know how to program but I bet I can cut and paste some code in about an hour that will completely disable a Win2k machine w/ the latest security patches. And sure you can disable a command prompt, but if you still let .bat files run you might as well have left the command prompt enabled.

If I had a standalone network with no outside connections I'd actually consider loading up sub-7 so I can have MORE control of my systems.

MS'es view of security involves giving someone else the keys to our homes so they can break in "just in case" they suspect us of a crime .

I'll pass on this offer.
 
Originally posted by: KraziKid
Ben50, as far as I know, Symatec has a free online utility that will trace an IP address to where it originated in the world. Here is the link: Here
Click to expand...

That is a really cool link. Thanks a lot KraziKid. I have been looking at switching to a new web host lately and this will help me find out where the servers are really located.

EDIT: The same company that produces the tracing software also makes eMailTracker. It can trace exactly where an email came from so it would be easy to shut down a spammer. Here is the link to the company.

http://www.visualware.com/
 
Originally posted by: ergeorge
Frankly, I trust anonymity over mandatory corporate tracking to ensure my privacy on the net.

And I suspect this is more about digital rights management ("Sorry, you've exhausted your initial plays of this CD. Would you like to purchase more?"), and furthering Microsoft's stranglehold on the market then it is about security.
Click to expand...

Yes. I have the feeling this is more about digital rights management than security as well. Did anyone see or hear about the recent EULA change for WMP? Read the article here. Sorry for the slightly OT, but I feel it's related as far as motivations go.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top