Palladium -- trivially weak in hw but "secure in software"?? (Re: palladium presentation - anyone going?)

[alan]

On Tue, 22 Oct 2002, Rick Wash wrote:

> Hardware-based attacks cannot be redistributed.  If I figure out how
> to hack my system, I can post instructions on the web but it still
> requires techinical competence on your end if you want to hack your
> system too.
> 
> While this doesn't help a whole lot for a DRM goal (once you get the
> non-DRM version of the media data, you can redistribute it all you
> want), it can be very useful for security.  It can help to eliminate
> the 'script kiddie' style of attackers.

Not really.  It depends on what they are exploiting.  Does every piece of 
code need to be validated all the time? Once a program is running, does 
something running in its code space get revalidated or soes it just run?

I don't see how paladium stops buffer overflows or heap exploits or format 
bugs or any of the standard exploits that are in use today.  (Not without 
crippling the entire system for bot the user and the programmer.)

It seems to change little for script kiddies if the machines are going to 
communicate with other systems.  (Unless the DRM holders will control who 
and how you can connect as well.  And they just might do that as well...)

The perveyors of this also claim it will stop spam and e-mail viruses. 
They only way it can do that is by making paladium based systems 
incompatable with every non-DRM machine on the planet.  (So much for 
getting e-mail from your relatives!)

The only problem this hardware seems to solve is shackling the user into 
what data they can see and use.  If Microsoft follows their standard 
coding practices, the script kiddie problem will not go away with this 
technology. It will probably increase.  

And it will be illegal to effectivly stop them.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com