[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fsfe-france] TCPA: Microsoft's plan to improve computer security could
From: |
pplf |
Subject: |
[Fsfe-france] TCPA: Microsoft's plan to improve computer security could set off fight over use of online materials |
Date: |
Mon, 17 Feb 2003 18:51:42 +0100 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130) |
The Chronicle of Higher Education
http://chronicle.com/free/v49/i24/24a02701.htm
Control Issues
Microsoft's plan to improve computer security could set off fight over
use of online materials
By FLORENCE OLSEN
Computing experts in academe often blame Microsoft for producing
software that is vulnerable to viruses and hackers. But, of late, the
experts have been criticizing the company's sweeping plan to correct
those very deficiencies.
Under the plan, announced seven months ago under the name Palladium, new
computers would be equipped with security hardware and a new version of
the Windows operating system.
The goal, Microsoft officials say, is to make servers and desktop PC's
that people can trust. But critics say the technology, which Microsoft
recently renamed "the next-generation secure computing base," could
stifle the free flow of information that has come to characterize the
Internet, and could give Microsoft too much control over colleges' own
computerized information.
With the new technology, information-systems officials could use
cryptographic hardware "keys" rather than software controls, like user
names and passwords, to lock up student records and prevent illegal
copying of materials. Registrars would have tamper-proof controls over
who could see, copy, or alter the records. The advances could be used to
prevent identity thieves from invading campus computer networks to steal
Social Security numbers, grades, and other personal data.
Money and Access
Palladium would require colleges to make expenditures on new computers
and software. Existing computers could not be retrofitted.
Colleges would decide whether to buy Palladium-capable software and
hardware, and then whether to activate Palladium's security functions.
But practically speaking, they would face enormous pressures to do so,
especially if publishers of books, journals, software, and other
electronic "content" were to adopt Microsoft's standard to deliver their
materials online. The publishers could dictate that colleges had to use
Palladium or else be denied access to the material. That worries many in
academe, who believe that publishers would use Palladium to bar some
uses of digital materials to which scholars argue that they are entitled
under copyright law. That loss may outweigh the advantages of tighter
security over student records, the critics say.
"If Palladium is adopted, and if other technology vendors exploit it
fully to restrict access to copyrighted works, education and research
will suffer," says Edward W. Felten, an associate professor of computer
science at Princeton University, who was the U.S. Justice Department's
chief computer-science expert in its antitrust case against Microsoft.
Microsoft officials respond that their new technology will simply give
all users -- whether colleges or publishers -- more control over the
information they own. Colleges have been demanding more computer
security, says Brian LaMacchia, a software architect in Microsoft's
trusted-platform-technologies group, which is responsible for Palladium.
"It's a two-edged sword," he says, acknowledging that commercial
publishers have demanded greater protection for their copyrighted works.
Palladium's software components will be part of the next major version
of Windows, which Microsoft has said it may release toward the end of
2004. Some hardware components that Palladium needs, including a
security chip, are available already in a notebook computer, the IBM
ThinkPad T30. Chip manufacturers and the major computer companies --
Dell, Gateway, Hew-lett-Packard, and IBM, among others -- have begun
work to redesign PC's so that they will work with Palladium software.
A key component of Microsoft's new technology is the "nexus," a
minisystem that runs in a sealed-off area in the computer's memory,
where private transactions can be conducted, and where designated
security and copyright policies would be enforced. In theory, the nexus
is immune to many of the problems that plague Windows machines, like
viruses.
Moving away from password-protected security and toward security that is
built into the hardware would make campus networks less vulnerable to
hacker attacks, Microsoft officials and academic experts agree. "Once
you move to hardware security, then you're talking about deterring 98 to
99 percent of all hackers," says David C. Rice, a security consultant
who is an adjunct faculty member in the graduate program in information
security at James Madison University.
Here's how Palladium works: If a program -- with its nexus -- were
running on a server in, say, a college registrar's office, the server
would ask any computer that tried to gain access to student records on
the server to certify what program it was running. The server would
block access to the records if the computer were running an insecure
program. Such questioning of another computer is not part of most
security mechanisms in use today. As a result, college computer systems
are repeatedly victimized by hacker attacks.
Mr. LaMacchia says that Palladium also would permit personal data and
other files to be kept secret on the computer's hard drive in an area
where the data would be unreadable by any program other than the one on
the computer that created them.
"It's definitely going to solve a lot of security problems, but it's
like any kind of new technology," says William A. Arbaugh, an assistant
professor of computer science at the University of Maryland at College
Park. "It can do good or evil."
Fair Use
Whether it is used for "good" or "evil," he says, will depend on who
gets to control the technology -- colleges or the publishers whose
"content" the colleges use.
Most of the early controversy surrounding Palladium in academe has
concerned its impact on "fair use," a gray area in copyright law that
gives professors and researchers limited but free use of copyrighted
materials. In the past, faculty members could decide on their own that
"fair use" permitted them to distribute a journal article to, say, 10
students. But publishers could use Palladium's controls to unilaterally
limit use of their materials, such as by restricting professors to a
read-only view of the article, from which they could not "cut and paste"
the text.
With Palladium, owners of content would gain at the expense of consumers
of content, including professors and students, says Eben Moglen, a
professor of law and legal history at Columbia University. In fact, if
Palladium were to become a widely accepted way of protecting copyrighted
material, Mr. Moglen says, it would create "a closed system, in which
each piece of knowledge in the world is identified with a particular
owner, and that owner has a right to resist its copying, modification,
and redistribution."
In such a scenario, he says, "the very concept of fair use has been lost."
Ross Anderson, who holds a faculty post as a reader in security
engineering at the University of Cambridge's Computer Laboratory, says
Palladium will "turn the clock back" to the days before online
information was widely available.
The biggest losers, he says, will be "small colleges, poor schools,
universities in Africa, hospitals in India -- the people who have
benefited hugely from the availability of vast amounts of information
that was simply unavailable to them before."
Publishers generally support the type of copyright-enforcement
mechanisms that would be in Palladium systems, although "there would be
some concerns about bugs in those systems," says Ed McCoyd, director of
digital policy for the Association of American Publishers. For example,
he says, even now, while publishers complain about the inflexibility of
technical controls in electronic-book readers, they do not want to share
those controls with users.
"They certainly want to have sufficient flexibility in the publisher
settings -- one publisher might choose to enable printing, one might
not," Mr. McCoyd says. But with the new technology, he predicts,
publishers will insist on controlling the software settings for what
they "consider to be fair use."
Some experts argue that computer and network security are so weak today
that the benefits of Palladium outweigh any risks that Microsoft, or
content providers, would abuse the new controls.
"Microsoft could decide to lock everything up," says David J. Farber, a
professor of telecommunications systems and of business and public
policy at the University of Pennsylvania. "But there is nothing a priori
that says they'll be all bad boys."
Indeed, Microsoft says it is listening to its critics. It has been
talking with academic researchers about the new technology far earlier
than usual in Microsoft's product-development process. "Part of the
reason has been to hear the feedback -- positive and negative -- from
the academic community, analysts, influentials, and others," says Amy
Carroll, group manager of Microsoft's trusted-platform-technologies group.
Palladium's software architects have given several guest lectures at
universities in the United States and Britain, in part, Ms. Carroll
says, to listen to academic concerns "and, hopefully, assuage them."
Many of the concerns are a result of misunderstanding what the new
technology will do and how it will work, Ms. Carroll says. Microsoft
plans to publish the source code for its nexus, she says, so that
"people can view the code and see that it will do what we say it will
do," and see that it will not give the company control over colleges'
computerized information.
Even Palladium's critics see good uses for the technology, like
maintaining the privacy of student records. Colleges may want to have
Palladium activated on some servers to keep them from running "pirated
software, MP3's, or anything that is illegal," says Mr. Rice, the
security consultant.
More Worries
But Palladium is worrisome to college officials for reasons other than
an erosion in the fair use of copyrighted materials. Jeffrey I.
Schiller, a network manager at the Massachusetts Institute of
Technology, says software companies most likely would use the program to
enforce license agreements that many in academe believe are legally
unenforceable. For example, more and more software licenses forbid users
from running tests known as benchmarks to measure the performance of one
company's software against that of its competitors.
Some critics, like Mr. Schiller, say Palladium might achieve the results
intended by the Uniform Computer Information Transactions Act, a model
law devised by the National Conference of Commissioners on Uniform State
Laws, which has been enacted only in Maryland and Virginia. Ucita is "an
attempt to give these software licenses the force of a signed contract,
even though you didn't sign a contract," Mr. Schiller says. With
Palladium, technology would "enforce" the licenses de facto, he says.
Microsoft insists that its new technology is a neutral platform. "It is
certainly possible that an application vendor could choose to use
[Palladium] to evaluate and enforce some software licensing terms,"
acknowledges Ms. Carroll. But "at the end of the day," she says, "the
terms of the license for an application are strictly an issue between
the vendor and the university."
Others think Palladium would be an anti-competitive tool in the hands of
software publishers, especially Microsoft, which, in 1999, was found
guilty by a federal-district court of monopolistic practices. With
Palladium, software publishers could decide to create programs that
refuse to work with rival programs, a tactic that is difficult for them
to get away with now, says Seth Schoen, a staff technologist at the
Electronic Frontier Foundation, a group that promotes civil liberties in
cyberspace.
Critics of Palladium frequently cite a hypothetical situation in which a
company makes a word-processing program that requires Palladium to run
and that encrypts all of the documents that it creates. "Any other
Palladium user who is also using that same word processor will be able
to decrypt and view the documents," Mr. Schoen says, "but nobody without
access to Palladium or who uses a different word processor would be able
to derive the necessary decryption keys."
Microsoft faces an uphill battle to win acceptance for Palladium in
academe. College students, many of whom are used to playing illegal
copies of music and videos on their personal computers, may be resistant.
"They're not going to consciously go out and buy a product that
necessarily limits their ability to do what they want to do," says Mr.
Rice, the security consultant. "They'll definitely buy a product if it
means security for them. I don't know if they're going to buy a product
if it means security for somebody else."
The Business Software Alliance, a trade group representing software
companies, declined to comment on Palladium, citing a policy of not
talking about its members' products. But Robert M. Kruger, vice
president for enforcement, says the group is beginning to tilt more
toward technology to enforce copyrights.
In dealing with software and other copyright piracy on campuses,
colleges "aren't sending the message as aggressively as we would like,"
he says.
Will MIT, whose researchers have studied Palladium, want to run it?
Maybe not, says Mr. Schiller, the university's network manager.
"Personally, I would never use this technology," he says. As for MIT,
though, it's an open question, he says. "Palladium has to become more
real for us to really decide if we can use it."
"If I had my druthers, I'd love the technology to be available and used
for all the good things we could use it for," Mr. Schiller says. "But
I'm enough of a realist to know that's not how it's going to play out."
WHAT PALLADIUM WILL AND WON'T DO
Microsoft's Palladium project is designed to make Windows computers more
secure. But computer experts are concerned that the technologies being
used to make computers more secure will block the free flow of
information needed for teaching and research.
Palladium will:
* Run programs that could prevent illegal copying of or
unauthorized access to information stored in PC's.
* Permit owners of digital information, whether copyright holders
or registrars responsible for student records, to set tamper-proof
controls on who can see, copy, and alter digital files.
* Prevent unauthorized access, via a computer network or the
Internet, to Social Security numbers, credit-card information, and other
personal data stored in PC's.
Palladium will not:
* Replace the Windows operating system.
* Search the Internet to detect and delete pirated software, music,
and movies.
* Eliminate spam and software viruses.
* Prevent a digital thief from gaining access to a computer in
person and disabling its hardware security features.
SOURCE: Chronicle reporting
--
pplf - French OpenPGP page <address@hidden>
"OpenPGP en francais" PGP: 8263 8399 2074 5277 a6d3
http://www.openpgp.fr.st 622d 1b66 ea3d caa0 8c94
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Fsfe-france] TCPA: Microsoft's plan to improve computer security could set off fight over use of online materials,
pplf <=