Cryptogram: Palladium Only for DRM

Wed Sep 18 13:34:23 EDT 2002

> (And before you mention the current worm infecting Linux apache sites,
> that's also caused by bad design, not an problem that requires
> hardware to fix.)

and

> In any case, all of this is silly. Palladium is no more likely to be
> bugless than the OS. If you break it, why is that less damaging than
> breaking the OS?

Bruce Schneier has a great take on this - secure systems should fail well.
Pd is designed to fail well - failures in SW design shouldn't result in
compromised secrets, and compromised secrets shouldn't result in a BORE
attack. I've talked about the processes we are using to make sure that this
is true but for a start we are gen'ing headers from formal specs. The specs
are reviewed for architecture and security before spec changes are approved,
and only then can you get a new header. We are doing a formal proof on parts
of the design (those upon which the security model depends). This process
should keep the bugs we do get from jeopardizing the security model.

P

----- Original Message -----
From: "Perry E. Metzger" <perry at piermont.com>
To: <niels at ferguson.net>; <cryptography at wasabisystems.com>;
<DMCA-Activists at gnu.org>; <DMCA_Discuss at lists.microshaft.org>;
<fairuse-discuss at mrbrklyn.com>
Sent: Monday, September 16, 2002 1:32 PM
Subject: Re: Cryptogram: Palladium Only for DRM

>
> AARG!Anonymous <remailer at aarg.net> writes:
> > One likely use of Pd for banking software would be to use the "secure
> > vault" to lock up account number and password information.  This would
> > ensure that no other software than the banking client could access this
> > data,
>
> That's what an MMU and file permissions are for. Palladium isn't
> needed for such a thing.
>
> > so that if you got a virus it would not be able to empty your
> > banking account.
>
> Why not simply design the OS so it is not a likely victim for viruses?
> This is a general security problem, not one special to banking
> operations. My own machine doesn't seem to get viruses -- but then
> again it doesn't run Windows. Funny, that.
>
> (And before you mention the current worm infecting Linux apache sites,
> that's also caused by bad design, not an problem that requires
> hardware to fix.)
>
> > And if the virus infected the banking client software
> > itself, that would change its hash which would keep it from being able
> > to access the data.
>
> There are patches to NetBSD that happily prevent a program that does
> not have a particular hash from executing, and similar code for
> several other OSes I've seen. We need no hardware to do this. On the
> other hand, who needs hash functions when an ordinary user can't alter
> the executable because he doesn't have permissions?
>
> I know this is a new concept to windows users -- I had to give my CFO
> admin privs on his XP box because Quickbooks refused to run otherwise
> -- but it is indeed possible to work on a machine where you don't have
> the right to write every file on the system.
>
> In any case, all of this is silly. Palladium is no more likely to be
> bugless than the OS. If you break it, why is that less damaging than
> breaking the OS?
>
> > Contrary to Niels Ferguson's comments, these kinds of applications
> > are far from silly.
>
> I disagree. This is all like saying you need a rifle to shoot
> cockroaches when swatting them with a shoe does fine and using poison
> traps works even better. Using a rifle for the application is indeed
> silly.
>
> > The next Nimda could empty your bank account and transfer its entire
> > contents irreversibly to an overseas server.
>
> Not under US law it couldn't. You could just have the transfer
> reversed as fraudulent.
>
> Beyond that, though, there is the little detail that Nimda and Klez
> etc. are only possible because Windows is so poorly designed. I can't
> GET an email virus, because my machine doesn't have those sorts of
> design flaws. (It has plenty of others, but email viruses aren't a
> problem for me.)
>
> No, it appears to me that the only real excuse for Palladium is to
> allow third parties to take control of hardware I own to prevent me
> from using it the way that I want to. I don't need it to keep my bank
> account safe.
>
> --
> Perry E. Metzger perry at piermont.com
> --
> "Ask not what your country can force other people to do for you..."
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
majordomo at wasabisystems.com
>

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com