[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fsfe-france] TCPA: Microsoft's plan to improve computer security could

From: pplf
Subject: [Fsfe-france] TCPA: Microsoft's plan to improve computer security could set off fight over use of online materials
Date: Mon, 17 Feb 2003 18:51:42 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130)

The Chronicle of Higher Education

Control Issues

Microsoft's plan to improve computer security could set off fight over use of online materials


Computing experts in academe often blame Microsoft for producing software that is vulnerable to viruses and hackers. But, of late, the experts have been criticizing the company's sweeping plan to correct those very deficiencies.

Under the plan, announced seven months ago under the name Palladium, new computers would be equipped with security hardware and a new version of the Windows operating system.

The goal, Microsoft officials say, is to make servers and desktop PC's that people can trust. But critics say the technology, which Microsoft recently renamed "the next-generation secure computing base," could stifle the free flow of information that has come to characterize the Internet, and could give Microsoft too much control over colleges' own computerized information.

With the new technology, information-systems officials could use cryptographic hardware "keys" rather than software controls, like user names and passwords, to lock up student records and prevent illegal copying of materials. Registrars would have tamper-proof controls over who could see, copy, or alter the records. The advances could be used to prevent identity thieves from invading campus computer networks to steal Social Security numbers, grades, and other personal data.

Money and Access

Palladium would require colleges to make expenditures on new computers and software. Existing computers could not be retrofitted.

Colleges would decide whether to buy Palladium-capable software and hardware, and then whether to activate Palladium's security functions. But practically speaking, they would face enormous pressures to do so, especially if publishers of books, journals, software, and other electronic "content" were to adopt Microsoft's standard to deliver their materials online. The publishers could dictate that colleges had to use Palladium or else be denied access to the material. That worries many in academe, who believe that publishers would use Palladium to bar some uses of digital materials to which scholars argue that they are entitled under copyright law. That loss may outweigh the advantages of tighter security over student records, the critics say.

"If Palladium is adopted, and if other technology vendors exploit it fully to restrict access to copyrighted works, education and research will suffer," says Edward W. Felten, an associate professor of computer science at Princeton University, who was the U.S. Justice Department's chief computer-science expert in its antitrust case against Microsoft.

Microsoft officials respond that their new technology will simply give all users -- whether colleges or publishers -- more control over the information they own. Colleges have been demanding more computer security, says Brian LaMacchia, a software architect in Microsoft's trusted-platform-technologies group, which is responsible for Palladium. "It's a two-edged sword," he says, acknowledging that commercial publishers have demanded greater protection for their copyrighted works.

Palladium's software components will be part of the next major version of Windows, which Microsoft has said it may release toward the end of 2004. Some hardware components that Palladium needs, including a security chip, are available already in a notebook computer, the IBM ThinkPad T30. Chip manufacturers and the major computer companies -- Dell, Gateway, Hew-lett-Packard, and IBM, among others -- have begun work to redesign PC's so that they will work with Palladium software.

A key component of Microsoft's new technology is the "nexus," a minisystem that runs in a sealed-off area in the computer's memory, where private transactions can be conducted, and where designated security and copyright policies would be enforced. In theory, the nexus is immune to many of the problems that plague Windows machines, like viruses.

Moving away from password-protected security and toward security that is built into the hardware would make campus networks less vulnerable to hacker attacks, Microsoft officials and academic experts agree. "Once you move to hardware security, then you're talking about deterring 98 to 99 percent of all hackers," says David C. Rice, a security consultant who is an adjunct faculty member in the graduate program in information security at James Madison University.

Here's how Palladium works: If a program -- with its nexus -- were running on a server in, say, a college registrar's office, the server would ask any computer that tried to gain access to student records on the server to certify what program it was running. The server would block access to the records if the computer were running an insecure program. Such questioning of another computer is not part of most security mechanisms in use today. As a result, college computer systems are repeatedly victimized by hacker attacks.

Mr. LaMacchia says that Palladium also would permit personal data and other files to be kept secret on the computer's hard drive in an area where the data would be unreadable by any program other than the one on the computer that created them.

"It's definitely going to solve a lot of security problems, but it's like any kind of new technology," says William A. Arbaugh, an assistant professor of computer science at the University of Maryland at College Park. "It can do good or evil."

Fair Use

Whether it is used for "good" or "evil," he says, will depend on who gets to control the technology -- colleges or the publishers whose "content" the colleges use.

Most of the early controversy surrounding Palladium in academe has concerned its impact on "fair use," a gray area in copyright law that gives professors and researchers limited but free use of copyrighted materials. In the past, faculty members could decide on their own that "fair use" permitted them to distribute a journal article to, say, 10 students. But publishers could use Palladium's controls to unilaterally limit use of their materials, such as by restricting professors to a read-only view of the article, from which they could not "cut and paste" the text.

With Palladium, owners of content would gain at the expense of consumers of content, including professors and students, says Eben Moglen, a professor of law and legal history at Columbia University. In fact, if Palladium were to become a widely accepted way of protecting copyrighted material, Mr. Moglen says, it would create "a closed system, in which each piece of knowledge in the world is identified with a particular owner, and that owner has a right to resist its copying, modification, and redistribution."

In such a scenario, he says, "the very concept of fair use has been lost."

Ross Anderson, who holds a faculty post as a reader in security engineering at the University of Cambridge's Computer Laboratory, says Palladium will "turn the clock back" to the days before online information was widely available.

The biggest losers, he says, will be "small colleges, poor schools, universities in Africa, hospitals in India -- the people who have benefited hugely from the availability of vast amounts of information that was simply unavailable to them before."

Publishers generally support the type of copyright-enforcement mechanisms that would be in Palladium systems, although "there would be some concerns about bugs in those systems," says Ed McCoyd, director of digital policy for the Association of American Publishers. For example, he says, even now, while publishers complain about the inflexibility of technical controls in electronic-book readers, they do not want to share those controls with users.

"They certainly want to have sufficient flexibility in the publisher settings -- one publisher might choose to enable printing, one might not," Mr. McCoyd says. But with the new technology, he predicts, publishers will insist on controlling the software settings for what they "consider to be fair use."

Some experts argue that computer and network security are so weak today that the benefits of Palladium outweigh any risks that Microsoft, or content providers, would abuse the new controls.

"Microsoft could decide to lock everything up," says David J. Farber, a professor of telecommunications systems and of business and public policy at the University of Pennsylvania. "But there is nothing a priori that says they'll be all bad boys."

Indeed, Microsoft says it is listening to its critics. It has been talking with academic researchers about the new technology far earlier than usual in Microsoft's product-development process. "Part of the reason has been to hear the feedback -- positive and negative -- from the academic community, analysts, influentials, and others," says Amy Carroll, group manager of Microsoft's trusted-platform-technologies group.

Palladium's software architects have given several guest lectures at universities in the United States and Britain, in part, Ms. Carroll says, to listen to academic concerns "and, hopefully, assuage them."

Many of the concerns are a result of misunderstanding what the new technology will do and how it will work, Ms. Carroll says. Microsoft plans to publish the source code for its nexus, she says, so that "people can view the code and see that it will do what we say it will do," and see that it will not give the company control over colleges' computerized information.

Even Palladium's critics see good uses for the technology, like maintaining the privacy of student records. Colleges may want to have Palladium activated on some servers to keep them from running "pirated software, MP3's, or anything that is illegal," says Mr. Rice, the security consultant.

More Worries

But Palladium is worrisome to college officials for reasons other than an erosion in the fair use of copyrighted materials. Jeffrey I. Schiller, a network manager at the Massachusetts Institute of Technology, says software companies most likely would use the program to enforce license agreements that many in academe believe are legally unenforceable. For example, more and more software licenses forbid users from running tests known as benchmarks to measure the performance of one company's software against that of its competitors.

Some critics, like Mr. Schiller, say Palladium might achieve the results intended by the Uniform Computer Information Transactions Act, a model law devised by the National Conference of Commissioners on Uniform State Laws, which has been enacted only in Maryland and Virginia. Ucita is "an attempt to give these software licenses the force of a signed contract, even though you didn't sign a contract," Mr. Schiller says. With Palladium, technology would "enforce" the licenses de facto, he says.

Microsoft insists that its new technology is a neutral platform. "It is certainly possible that an application vendor could choose to use [Palladium] to evaluate and enforce some software licensing terms," acknowledges Ms. Carroll. But "at the end of the day," she says, "the terms of the license for an application are strictly an issue between the vendor and the university."

Others think Palladium would be an anti-competitive tool in the hands of software publishers, especially Microsoft, which, in 1999, was found guilty by a federal-district court of monopolistic practices. With Palladium, software publishers could decide to create programs that refuse to work with rival programs, a tactic that is difficult for them to get away with now, says Seth Schoen, a staff technologist at the Electronic Frontier Foundation, a group that promotes civil liberties in cyberspace.

Critics of Palladium frequently cite a hypothetical situation in which a company makes a word-processing program that requires Palladium to run and that encrypts all of the documents that it creates. "Any other Palladium user who is also using that same word processor will be able to decrypt and view the documents," Mr. Schoen says, "but nobody without access to Palladium or who uses a different word processor would be able to derive the necessary decryption keys."

Microsoft faces an uphill battle to win acceptance for Palladium in academe. College students, many of whom are used to playing illegal copies of music and videos on their personal computers, may be resistant.

"They're not going to consciously go out and buy a product that necessarily limits their ability to do what they want to do," says Mr. Rice, the security consultant. "They'll definitely buy a product if it means security for them. I don't know if they're going to buy a product if it means security for somebody else."

The Business Software Alliance, a trade group representing software companies, declined to comment on Palladium, citing a policy of not talking about its members' products. But Robert M. Kruger, vice president for enforcement, says the group is beginning to tilt more toward technology to enforce copyrights.

In dealing with software and other copyright piracy on campuses, colleges "aren't sending the message as aggressively as we would like," he says.

Will MIT, whose researchers have studied Palladium, want to run it? Maybe not, says Mr. Schiller, the university's network manager. "Personally, I would never use this technology," he says. As for MIT, though, it's an open question, he says. "Palladium has to become more real for us to really decide if we can use it."

"If I had my druthers, I'd love the technology to be available and used for all the good things we could use it for," Mr. Schiller says. "But I'm enough of a realist to know that's not how it's going to play out."


Microsoft's Palladium project is designed to make Windows computers more secure. But computer experts are concerned that the technologies being used to make computers more secure will block the free flow of information needed for teaching and research.

Palladium will:

* Run programs that could prevent illegal copying of or unauthorized access to information stored in PC's.

* Permit owners of digital information, whether copyright holders or registrars responsible for student records, to set tamper-proof controls on who can see, copy, and alter digital files.

* Prevent unauthorized access, via a computer network or the Internet, to Social Security numbers, credit-card information, and other personal data stored in PC's.

Palladium will not:

    * Replace the Windows operating system.

* Search the Internet to detect and delete pirated software, music, and movies.

    * Eliminate spam and software viruses.

* Prevent a digital thief from gaining access to a computer in person and disabling its hardware security features.

SOURCE: Chronicle reporting

pplf - French OpenPGP page    <address@hidden>
"OpenPGP en francais"         PGP: 8263 8399 2074 5277 a6d3
http://www.openpgp.fr.st           622d 1b66 ea3d caa0 8c94

reply via email to

[Prev in Thread] Current Thread [Next in Thread]