Schneier on Security
A blog covering security and security technology.
« War on Terror: The Boardgame |
| Tracking Automobiles Through their Tires »
December 26, 2006
A Cost Analysis of Windows Vista Content Protection
Peter Gutman's "A Cost Analysis of Windows Vista Content Protection" is fascinating reading:
Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called "premium content", typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it's not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server). This document analyses the cost involved in Vista's content protection, and the collateral damage that this incurs throughout the computer industry.
Executive Executive Summary
The Vista Content Protection specification could very well constitute the longest suicide note in history.
It contains stuff like:
Denial-of-Service via Driver Revocation
Once a weakness is found in a particular driver or device, that driver will have its signature revoked by Microsoft, which means that it will cease to function (details on this are a bit vague here, presumably some minimum functionality like generic 640x480 VGA support will still be available in order for the system to boot). This means that a report of a compromise of a particular driver or device will cause all support for that device worldwide to be turned off until a fix can be found. Again, details are sketchy, but if it's a device problem then presumably the device turns into a paperweight once it's revoked. If it's an older device for which the vendor isn't interested in rewriting their drivers (and in the fast-moving hardware market most devices enter "legacy" status within a year of two of their replacement models becoming available), all devices of that type worldwide become permanently unusable.
Read the whole thing.
And here's commentary on the paper.
Posted on December 26, 2006 at 1:56 PM
• 68 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I read the article last night and found the effects could be frightening for the future of Windows. (Of course as a Mac user and consultant, Vista doesn't really affect me.)
But the inclusion of pervasive encryption in the software and hardware should make for plenty of nightmares. Not to mention government meddling for back doors and export limitations.
I can see two possible outcomes of this.
1) More people migrate to alternative systems, such as Mac or Linux
2) Prices of old (but not yet replaced) hardware drops like a rock in water.
What does this mean to me? Possibly not much since the only place I use Windows is on my work computers, and with the rate of hardware updates done here, it'll take atleast 10 years before Vista is supported.
Let me see if I have this right - a hardware vendor could force nearly the entire marketplace into accelerated purchases of hardware upgrades simply by allowing the revocation of the device's signature? Imagine all of the ways this could be accomplished, such as 'discovering' a backdoor left in a driver by the original developer, and many many others.
I wonder what is going to happen at the very moment when the first vulnerability in AES-128 is discovered. Will it mean that all HW (if I understand correctly, all-in-single-chip design is recommended, i.e. no easy circuit replacement possible) will have to be thrown out?
Tilt bit is a news for me, didn't notice it earlier. But I can easily imagine the impact on systems' power consumption.
>Will it mean that all HW ... will have to be thrown out?
Oh, I can imagine the lawsuits this will generate. The first company that does this will also be the last one, as they end up going bankrupt. I just paid $300 for a video card, what do you mean it is now a brick and I have to buy it over again?
Or what happens when the first "revocation virus" comes along. Who made it? Your competitor? Your own marketing dept? A disgruntled employee? J. Random Hacker? What difference will it be when you have to replace many months of production, perhaps under warranty.
Why do product managers sign off on crap like this? I really wanna know what in their brains makes them think that this will work.
No doubt that I will not choose to upgrade to Vista.
I hope that Vista falls flat on it's face. I'm not even a Linux or Mac fanboy, but the more I hear about this crap, the more I hope it fails.
Koray: In answer to your question, you must consider who Microsoft's customer is for Vista. It's not the people who will buy the OS, it's the "content producers" who are currently in bed with Apple. If Microsoft can get these people producing content (exclusively) for Windows, then Microsoft can charge licensing fees for its DRM technologies, and users will be locked into the Vista platform which will generate revenue through sales.
Why did YouTube take over the internets? It was the first video system where you didn't get a frickin' window pop up telling you you needed to update your frickin' video software. It just plays.
(Vista sounds like the special hell I often went through with Quick Time. You'd get the notice to upgrade, go upgrade, and then find that the video still didn't work. Why? You were on version 2.4, it wanted 2.5, and what Apple gave you was 2.6.)
Given that computers are vulnerable to the occasional random digital event -- some bit flips for no good reason -- then drivers will go 'sideways' now and then. The user sees this when the cursor acts funny, color coding goes goofy, a button won't click -- and things of that ilk. If such an event occurs to a Vista user, then will MS permanently revoke a driver when they detect something is not quite right, or can the user close all windows and do a three-fingered-crash to get a fresh start and have MS reconsider than then bless his regenerated driver as sanctified?
If revocation is recoverable, Vista will have yet another undocumented feature. If revocation is permanent, this is no suicide note, it is the Self-immolation Proclamation.
One implication of MS' greed here could be the development of 'commercial grade' hardware and drivers that specifically reject Vista security in favor of stability. Office computers don't need to play HD video but they do need to keep running without fear of 'tilt bits' bringing the system to a halt at the slightest provokation.
@skippern, I take your point insofar as Vista's driver-development hell doesn't directly affect other operating systems.
However, unless I got entirely the wrong gist of TFA, there are substantial *hardware* design and cost implications of some of this.
If MS retains 80%-90% of platform penetration, hardware vendors would be remiss *not* to cater to MS' requirements. Since Apple's been so successfully adopting COTS hardware in their systems, and most other alternative OSes are running against hardware originally produced for the Windows market, I can't help but think that *all* of us will be suffering and/or paying extra to support the deal MS made with the content cartels.
Such as open-source developers being refused hardware documentation even more often than has been the case in, say, WiFi chipsets and certain video-card vendors.
I thought the article did a good job of sketching out these knock-on effects. This isn't just a case of "well, never going to use Vista... doesn't affect me."
I never had any intention of upgrading to Vista, ever, anyway, but this is just amazing to me.
Either Mac or Linux are already viable alternatives to me. I'm just still on Windows because it's easy. I haven't needed anything new since Windows 2000.
I'm on XP now because when I went to get a new machine last summer, it was cheaper to buy an eMachine with a rebate than to build my own box, and it came with XP on it.
Next time I buy, even if it's cheaper I'll not buy a machine if it means giving Microsoft money for Vista. Even if I would have formatted the drive the minute I got it home and installed Linux, I'm not going to pay the MS tax for Vista.
I read this the other night. It seems to me that MS is simply setting themselves up for a massive series of legal battles. I'm sure the bright legal lights there have thought of this and attempted to build insulation, but this really looks insane.
I can't imagine this ending well, for MS, customers, hardware vendors, or competing OSes. Maybe for the lawyers.
Since I don't plan on buying into BlueRay or HD-DVD (Tired of the standards / lack of / buy my proprietary junk, it's cool but when the market rejects it, we'll dump it and you too runarounds), I really have no wish to buy a complete new computer so I can run Vista just to run all this parasitic code. Not all of us people who were bitten by Windows Genuine (Dis)Advantage were running pirated software or grey area cruft. 20% of us were fully legal and it was Microsoft's junk that was causing us heartache. Where will Vista put us?
Vista (The view you get just before falling off the cliff)
It boggles the mind (well, mine anyway) to think that a side-effect of Microsoft's DRM for Vista might be the outsourcing of the PC HW industry to China. As US vendors tied to Microsoft build ever more expensive and flaky stuff, newly industrializing countries will assume world leadership by the simple expedient of making and shipping competing stuff that works.
Vista's design will force hardware vendors to supply unreliable, but more expensive, equipment. Mac and Linux users will undoubtedly look for hardware that has not been crippled. China wants to build its own industries not buy from the US or EU. Why would they not build hardware that did not have the features required by Vista? There would be their own market plus all the Linux users worldwide. They would have reliable, robust software and hardware for their in-country use and a willing world-wide market made up folk just like the ones who have commented in this thread.
In sum, Microsoft with Vista is making it possible for China to do to the US PC industry what Japan did to the US auto industry. Compete on higher reliability and lower costs to become the dominant players in the industry.
X.509 revocation lists thisUpdate and nextUpdate dates. I have to wonder if the key revocation lists followed a similar model. If they contain at a minimum an equivalent to a thisUpdate date, then it may be possible to freeze or roll back your device's clock and invalidate an attempted key revocation list update.
Your forum link seems heavy on short sentence abuse and light on fact. I did not find it useful at all.
Vista may not be much fun for gamers but corporates will for forced into it. The only question will be how many years it takes.
I noticed that a number of the unflattering quotes cames from ATI. It seems to me that the chip manufacturers need to wake up to the fact that THEY could fight this issue. THEY could be holding Microsoft over a barrel instead of the other way around.
I think ATI, nVidia, Creative, etc should refuse to make Vista drivers for all but their high-end equipment. The market will figure that out quickly.
"So, a card that will work with Vista will cost me $700, but I can get the same performance under XP for $80?"
Sounds like a no-brainer to me.
I'd hardly call 2fps the same as a factor of nine MDwyer. The article has enough over the top claims without them being repeated here.
Someone: I think you misunderstood me. I'm saying nothing about Vista's performance. In fact, the assumption was that there was parity in the performance.
The idea is that if you want to have Vista drivers, you're going to have to pay extra for them. However, if you want to stay with XP, there isn't a premium charged.
I think the manufacturers should not only pass the costs along to the consumer, I think they should inflate them. Most consumers won't pay inflated prices for parity performance, and Vista fails for lack of drivers and lack of consumers.
I can dream, can't I?
The problem is not at Microsoft. It's the content providers. The content provides refuse to provide non-DRMed media, therefore Microsoft must provide a DRM platform to be able to play these media. Of course, if no one wants to play DRMed media on a PC, there's no need for DRM in Vista.
Hardware vendors can't fight this issue. Content provides are more than happy to make their media NOT able to play on a PC. This makes their media less likely to be pirated (at least by casual users). High profile pirates will still be able to pirate these things, but they are larger targets and will be easier to handle.
When "someone" claimed "This article is pretty over-the-top." he obviously didn't read any original Microsoft's documents, as:
Output Content Protection and Windows Vista
It's dated April 27, 2005.
Inside is, among other very specific details, the following gem: "Tilt bits are provided in the DDI as the driver’s mechanism for reporting that a hacker is suspected. If at any time the graphics driver determines that something improper has happened, then it can set the appropriate tilt bit—for example, if the hash of an output status message doesn’t match the message. If any tilt bit gets set, then Windows Vista will initiate a full reset of the graphics subsystem, so everything will restart, including re-authentication."
The whole Vista development project could easily be mistaken for a blatant attempt to manipulate the hardware market. Over the years, PC costs have dropped dramatically, to the point where the cost of pre-installing Windows is a significant contribution to the shop price.
There are two solutions to the problem, reduce the Microsoft tax or maintain/increase the cost of hardware.
Obviously Microsoft couldn't possibly reduce the cost of pre-installed Windows...
And saw passing reference to a fast stream cypher "Intel Cascaded Cypher" which is apparently "AES-128-based" but proprietary to (and licensable from) Intel, presumably (from context) as an optional component of their (again) proprietary and licensable HDCP technology.
One quick google later and I have... nothing. I can't find even *mention* of this variant on various sites (including Intel's own), never mind any clue if someone competent at cryptoanalysis has ever taken a look at it. Anyone got a pointer for me? if DRM in vista is likely to revolve around this, I would at least like to know what it is......
The idea of security enhanced HW is a good one. However DRM and trusted computing is not security for the machine's owner or user.
But that not the real problem. The real problem is everyone complains that there is no real choice and just buys into this crap anyway. Yes there is. Most make bad choices, thats not MS fault. Just make sure you don't make the wrong choice.
We shouldn't worry too much. First there DRM will fail. Not because secure hardware is hard but because they really suck at security (just look at AAC looks like CSS with a bandaid). Then there are countries that are passing laws that alow cracking of this HW for compatablity and fair use (aka watch DVD's on linux). NZ is looking a law like this for its DMCA equivilant. Very well thought out (not perfect however).
Not every country has laws like DMCA.... In some countires (try most except USA) the laws are almost resonable. And methods like this will fail.
@Dave Howe: it's "Intel Cascaded Cipher", not cypher. Not many links, but mention is made in a couple of MS docs, e.g.:
"The Intel Cascaded Cipher is a mechanism for re-using each 128-bit cipher block a number of times. It does this by applying Serpent encryption to the cipher blocks coming out of the AES engine, rather than just using the XOR function that regular AES 128-bit counter mode uses."
Has Microsoft become the government, or is it the other way around? Maybe they could tie DRM to the no-fly list?
This looks like the motiviation I need to stop sticking with windows and get into a non-satan inspired OS.
What's your point about the tilt bits? That they exist? That they could introduce instabilities?
My point is that none of these encryption "features" are going to be active unless they're required during playback of protected content.
My problem is that Gutman makes it sound like the processing overhead and danger of instability is ever present when it really only applies to protected content. It's a non issue most/all of the time when using Vista and crying wolf on performance problems without qualifying the LIMITED situations where his concerns apply is overblowing the issue.
Heh, government backdoors... yes this is all about government backdoors. Lol
This is about MSFT trying to break ground where Apple has already tread. Apple came to dominate an industry and now calls the shots with the content providers.
Long term, one vision for the future of digital content is not a good thing (after all, they created FairPlay... which is a DRM system). So MSFT has to find a way into this industry, and it's going to mean making the content providers feel safe.
Eventually, it's going to be obvious to the addled old men who've never touched a computer that by it's very nature, DRM is practically impossible to maintain. The fight will go from technology to legislation (Congress will declare that "they tried to let industry solve the problem, so now we're just going to make everyone a criminal").
And I'll continue to rip the content I purchased rights to. It's mine to view, I do what I please. It's my right. I don't steal it, and I don't help others steal it.
Complain all you want about DMCA hampering your rights to watch your media. Who is going to jail for doing so? It's not worth any government's time to crackdown on anyone but a content trafficker.
Yes, it seems to possibly have a chilling effect on software that rips content for you... but heck, I dunno... has it really? Seems just as available as ever.
When people talk about "content providers" refusing to provide non-DRM-crippled media, they're really talking about the RIAA and MPAA. It's worth remembering that there's plenty of non-DRM-crippled music out there, and an increasing amount of other media.
Last time I checked, there was enough Creative Commons-licensed music out there that you could listen to it from birth to death without hearing the same track twice. Sure, Sturgeon's Revelation applies, but as consumers we are not forced into DRM.
1. Reminds me of the reason the security evaluation process went belly-up: any single hardware or software change forced a new evaluation.
2. It also makes the Vista user community very vulnerable to infowar DoS attacks if some technically-adept nation decides to put backdoors in the hardware or software developed in their country.
I hope that the article will at least cause some upstir in the general public, it's been featured on quite some popular sites over the last days.
For many parts I think it's FUD, something that has worked very well for MS themselves in the past. Now they finally get to taste some of their own medicine :)
Why FUD? The bits of information that Gutman has collected sure are wishes of the content industry, but many of the consequences he mentions (higher hardware costs, more driver efforts, legal and support aftermath if things stop working or go into "degraded" mode) are just too drastic that they could possibly become reality.
Thank you, Stef, for that concise demonstration of denial.
You, and the people you link to "debunking" this article, keep misrepresenting what it says. Gutman points out very early on that some of this crap is turned on dynamically in the presence of "premium content." He also explains that:
* Some of the crap is on all the time. (For example, if your driver's revoked, it's revoked period.)
* Crap that's only on some of the time affects everything, not just the content that turned it on.
* The system needs to be capable of this crap all the time, even it's never turned on, so you're paying for it in dollars and engineering tradeoffs.
* This crap sets up a very easy DoS.
I don't know whether his description of Vista is accurate, but it does lead logically to his predictions. It's not helpful for a bunch of people to scream "bullshit!" and then pretend Gutman said something other than what he actually said.
could you explain what you mean by crap that's only on some of the time affects everything, not just the content that turned it on (aside from the development/hardware costs).
how is the DOS any easier than it is with revoking existing certs (ssl for example)?
Even though the features are only used some of the time, hardware needs to be built as if it is turned on all the time.
SSL still works on popular browsers with revoked certs, if you ignore warnings. That isn't an option for revoked hardware on vista.
"could you explain what you mean by crap that's only on some of the time affects everything, not just the content that turned it on (aside from the development/hardware costs)."
I think Gutman already explains it pretty well in the fourth and fifth sections ("Disabling of Functionality" and "Indirect Disabling of Functionality"). He's talking about devices being disabled--your screen going blank, your speakers going silent or distorted, etc. When your screen goes blank, you lose sight of everything, not just the "premium content" that triggered the blanking.
"how is the DOS any easier than it is with revoking existing certs (ssl for example)?"
ckelso explained the difference, but I should clarify that I wasn't just talking about the driver revocation. The device disabling and "tilt bits" are also ripe for DoS. They're designed to protect someone else from you ("you" meaning the computer owner) and they promise to shoot first and ask questions never.
Example one; if the OS has to wake every driver to check the tilt bit every 30ms then that is a load on the system - period.
Example two; if all bus transfers are encrypted then every access creates an increased load for both encryption and decryption.
One assumes the processes tasked with this also comsume resources on the box.
One suggestion in the article was that all I need to create DoS is code that sets tilt bits (directly or through cause and effect).
Another was to attack an older driver so that it would be revoked. The point being you have no choice in the reduced functionality once it has been revoked.
A consumer with a product in hand that already gets the job done is at least as patient with switching to a follow-on product that gives him only little added value at a higher price, than the stock analyst that will assert if the strategy behind the new product is a success or failure.
Some device makers will bite the bullet and go HD, others will avoid the costs and put a cheaper product to the market. And I believe there is significant potential for HD-free PCs.
DoS seems almost too easy. Malware that simulates or plays actual snippets of protected content, then interferes with the encryption messaging will cause intermittent lockout of analog ports, a reboot of the graphics subsystem, and/or a degradation of resolution. The resolution degradation doesn't sound like much until you're trying to play a game, like "what's the quickest evacuation route for a few million people in front of the oncoming hurricane."
I can see this malware being extremely difficult or even impossible to get rid of, too. Imagine trying to manually remove malware that continually reboots the graphics subsystem. If you have bitlocker enabled, you can't even boot the drive on another OS or PC to try to fix the issue.
I see how audio might cut out with protected content or be blocked over spdif and while annoying, i'm not sure that's a huge issue - it doesn't impact anything else in your system except when playing protected content. I'm not sure that video would completely go black unless there's an HDCP issue, which would be a problem at the card/monitor step in the chain (which is already a 'problem' with digital cable and lcd monitors / televisions and really isn't anything new). If there's a problem with authentication within the pc, at whatever stage, I'd hope that the driver could abort the processing without bringing the system to a useless (blank screen) state.
yes, the hardware needs to be built for when its in use, but if tilt bits are ignored except when protected content is being processed, I don't see how its going to have much impact the vast majority of the time.
example 1 - tilt bits aren't required by the MS Spec - they're suggested as an additional step vendors can take. I'd be surprised if they elected to use them constantly as opposed to polling them only while processing protected content.
example 2 - encrypted bus transers, again transfers only need to be encrypted if the content mandates it for travel over pcie - no processing overhead incurred during normal use. ckelso's point of the hardware having to be built for this still holds though.
tilt bits are optional, if the driver is ignoring them during normal use, I don't see how they could be used for DoS purposes.
driver revocation - if a driver is "attacked" the PVP-OVM certificate can be revoked, but it doesn't apply to the whole driver. The ms doc previously linked made mention of the driver determining whether to return the pvp cert depending on whether the hardware was compliant - meaning that the driver could operate on hardware without this certificate but not be able to process PVP content. I'd assume that this would hold true if it was revoked. So while an old card could technically be subject to a DoS through certificate revocation, it should only deny users from playing protected content, not using the card/driver for all other applications.
I really do appreciate the discussion here - its certainly more in depth than anywhere else i've been :)
Isn't this an extreme amount of trouble to go to in order to ensure that business systems can be trusted to handle copyrighted entertainment material? Can't the industry distinguish computers from video players anymore?
Beautiful! American capitalism accomplishes in one fell swoop what the People's Republic of China, and other oppressive regimes, are struggling to do to their subjects. That is, control what one may see and do with one's computer.
Vista is the Baidu of the US.
It does not sound like switching to Linux is the answer as some commenters suggest. If Microsoft/MPAA/RIAA grabs the Commons from us, Linux implementers will eventually have to go along. Or will be forced to.
Temporarily I'm refusing "premium" content. But in the end, I'll have to quit using computers.
You're trying to rebut every single point and example--and for my points you're doing it with hand-waving--but you're dodging the basic facts:
* This drives costs up and quality down.
* It treats the computer owner as the enemy.
* It does not just treat "premium content" differently. It treats everything, including the user, differently when "in the presence of premium content."
* "Premium content" is a self-declared status.
How is that good, or even tolerable? The specific accusation made by Gutman may sound outrageous to you. but they're very consistent with the basic approach that Microsoft has publicly embraced.
Maybe you know things about the system we don't.
If you create code to poll for tilt bits how do you know it doesn't poll all drivers? The article suggests this is what happens - but maybe there is a registration process so the OS knows when the vendor implements it and when they don't?
Then again I could attack the registration process directly so it would be interesting to see how such a system fails. If it exists at all that is. Either way the code must load the system and can't be turned off.
DoS is all about how systems FAIL - not how they work as intended. In security terms Vista content protection appears to lack keys aspects of a secure (aka. fails well) system. It is closed and proprietary so replies entirely on the people who wrote it being perfect and predicting all failure vectors - and it seems tightly coupled, which will create failure senarios no one thought of. Hence security people see good possibilities of DoS.
What follows are some comments I wrote up for an email list I'm on.
I'll skip the summaries and start with the introduction.
"This document looks purely at the
cost of the technical portions of Vista's
He should have said "complexity" because almost nothing he describes has a direct or necessary relationship with cost. There are complexities involved, but they're pretty much insignificant especially by comparison with Gutmann's hype.
"However, one important point that
must be kept in mind when reading this
document is that in order to work,
Vista's content protection must be able
to violate the laws of physics,
something that's unlikely to happen no
matter how much the content industry
wishes it were possible."
This point sounds important but he never backs it up, so I'll skip it too.
"Since S/PDIF doesn't provide any content
protection, Vista requires that it be
disabled when playing protected content."
I believe this is wrong. I'm pretty sure Microsoft and the content creators aren't going to prevent people from playing high-quality audio over USB speakers and Bluetooth headsets. I'm pretty sure that digital audio may be transmitted at CD quality levels (stereo, 44.1 KHz, 16-bit samples).
"For example PC voice communications rely on
automatic echo cancellation (AEC) in order
to work. ..."
This is a very interesting point. If it's okay to get the downsampled CD-quality audio, AEC should still work just as well. If not, people may just have to give up on doing full-duplex voice communications while simultaneously using the PC to play protected high-def content. I think perhaps this is not a big problem.
"Alongside the all-or-nothing approach of
disabling output, Vista requires that
any interface that provides high-quality
output degrade the signal quality
that passes through it."
This is grossly overstated because it implies this happens all the time. It's true only when the content is protected and the selected output is inherently insecure.
In practice, once secure hardware gets out there, most end users will never see this problem.
In the meantime, yeah, Microsoft and the hardware guys shouldn't claim to support protected HD content if they don't have a complete solution.
"For example the field of medical imaging
either bans outright or strongly frowns on
any form of lossy compression because
artifacts introduced by the compression
process can cause mis-diagnoses and in
extreme cases even become life-threatening."
This is grossly irresponsible and tantamount to invoking Godwin's Law. No medical-imaging system in the world is ever going to use the kind of content protection that Microsoft and the MPAA care about, and no medical technician would ever overlook the sudden downsampling-and-supersampling of medical imagery. Nobody's going to die.
"Elimination of Open-source Hardware Support"
"Elimination of Unified Drivers"
These sections are ridiculous. The only thing the open-source software movement won't get is enough information to let them violate the intellectual-property rights of the hardware vendors and content creators.
Users will be able to get closed-source drivers where there's enough demand. Nobody has the right to expect anything more than that.
"This means that a report of a compromise of a
particular driver or device will cause all
support for that device worldwide
to be turned off until a fix can be found."
This is a clumsy lie. The only thing that has to be denied in the event of a crack is the ability of the compromised device to violate intellectual-property rights.
The truth hiding behind the lie is that this repudiation process could make enemies if it's invoked clumsily, inappropriately, or too often. This might happen, or it might not. If it does happen, the eventual result will be the relaxation of the content-protection requirements in order to protect the revenue stream.
"For example if there are unusual voltage
fluctuations, maybe some jitter on bus
signals, a slightly funny return code from
a function call, a device register that
doesn't contain quite the value that was
expected, or anything similar, a tilt bit
Another clumsy lie. Nobody's building graphics cards with super-sensitive voltage comparators on the power-supply lines or bus signals. It's likely there will be software tell-tales. If these are badly implemented or exploited by malware, they'll be removed.
"'Cannot go to market until it works to
specification... potentially more respins
of hardware' -- ATI."
How is this different than any other generation of hardware? Sheesh.
"Apart from the massive headache that this
poses to device manufacturers, it also
imposes additional increased costs beyond
the ones incurred simply by having to lay
out board designs in a suboptimal manner."
Nonsense. This is like the old arguments against clean-burning engines. It turns out it's cheaper and easier in the long run to do it the right way. Plus, signals that can easily be intercepted have to carry encrypted data anyway. The only places that unprotected digital video could be intercepted are inside chips.
"Increased Cost due to Requirement to License
Unnecessary Third-party IP"
This section is also nonsense. There are hundreds of chips in the world that contain unlicensed IP-- because the functionality is disabled. At least as a first-order effect, the only chip costs due to IP licensing will be for chips that actually expose the licensed functionality.
"Unnecessary CPU Resource Consumption"
Completely false. The only thing that really matters here is the effort required to decrypt pre-authored content. Apart from a stopgap solution here or there, this will always be done in hardware. Gutmann goes on to admit as much in the very next section, too. Every graphics-chip vendor is putting 100% of the HD-DVD/Blu-Ray processing stack into hardware. CPU utilization will go DOWN with these implementations-- almost to zero, in fact-- not up.
Most of this section is just heartburn over the fact that marginal codecs aren't mainstream codecs. Oh, well. Better skill next time.
Well, that's pretentious. He never STARTED thinking clearly about the issue. It's all just knee-jerk mumbo-jumbo.
"In July 2006, Cory Doctorow published an
analysis of the anti-competitive nature of
Apple's iTunes copy-restriction system."
One thoughtless crank referencing another. Brilliant.
It's not handwaving any more than Gutmann's arguments are handwaving - he hasn't proved that any of his claims are true, whether it be how tilt bits are implemented or otherwise.
I agree with you on the underlying philosophical points; this isn't a good thing by any stretch of the imagination. I read this blog because I'm interested and concerned about issues like these. It's a fundamental shift in how one "owns" content on their computer. I just don't buy any of the practical arguments against it, aside from some increased hardware/development costs. The only reason Vista might become somewhat acceptable is if you don't deal with premium content at all you won't encounter any of the performance issues raised by Gutmann.
I'm surprised nobody has raised this question yet:
what if a PC doesn't have an internet connection?
The do exist, you know. They can't possibly make an exception for this,
because otherwise everyone would just block the outbound traffic to the microsoft
servers at their firewall and no driver could ever be revoked.
On the other hand, requiring an internet connection to use a PC, even when not
playing "premium content" would be absurd.
This whole scheme seems like a political trick to me; first they propose a system
that is absolutely completely ridiculous. Then the demands are weakened, and the
system is accepted, because it is not quite as terrible as the original. It's a bit
like what I've seen happen in the US a lot recently; laws or ammendments are packaged,
with one dummy law who's only purpose is to take the flak while the others get through.
On a side note, I would like to see some of this so-called "premium content"
that is actually worth protecting.
"people may just have to give up on doing full-duplex voice communications while simultaneously using the PC to play protected high-def content. I think perhaps this is not a big problem."
That's a huge problem! There is absolutely no technical reason for stopping the user from using the PC formerly known as theirs from doing both. Gamers, for example, often listen to their music library while playing online games and chatting with friends. Now the 7-ish Million people playing World of Warcraft will no longer be able to voice chat and listen to high definition audio?
Thing is, the PC became ubiquitous BECAUSE it was a rather open platform. High tech users could develop hardware and drivers to do whatever they could think of. Under Vista, the PC is becoming totalitarian - you may only do what emperor Microsoft (or Big Brother Microsoft) allows in the Microsoft approved method - Microsoft approved drivers, Microsoft approved content, Microsoft approved specifications. Unfortunately, Microsoft isn't that good at being totalitarian, except where competition is concerned. The malware writers run circles around Microsoft's protections (or lack thereof).
Abuse is not argument.
You need to document accusations of lying and claims like "I believe this is wrong" if you expect me to take you seriously.
You say at the begining of your post nothing relates to cost then try to refute a later point by suggesting encryption chips will be built in. There is a lack of thought there.
There's a difference between a claim that could be false and hand-waving. It could turn out that (to pick one example) "device drivers are required to poll the underlying hardware every 30ms" is just not true, but at least it's a clear-cut technical basis for his claims. What I hear from people on the other side is, "Gosh, Microsoft wouldn't do something like that. He must be wrong." That is hand-waving.
One thing worth noting is that the measures which protect Vista itself need to be on all the time. Otherwise, any security enforced by Vista is broken. Also, any measures to prevent device tampering need to be on all the time for devices that deliver content. Otherwise, Vista might never realize that the content was supposed to be "premium."
That doesn't prove that Gutman is telling the truth: Microsoft might not care or might think an obviously broken system is better than none (or think who-knows-what). But it means you can't just dismiss him as "overblown." What he describes is quite possible given what we already know.
A refutation might be more convincing if you actually offered arguments, or, say, read the article in a balanced mind set. For instance, you might have read Note A before jumping all over "costs" (and besides, any good engineer already knows that most interesting costs aren't measured in dollars and cents, beancounters be damned).
By the way, I do think Gutman overstates his case with MS trying to break the laws of physics. Nice metaphor with quantum mechanics, but it's just a metaphor. However, they are indeed trying to break laws of economics and psychology by introducing a secure platform for general purpose computing(!) where the owner/operator is viewed as a potential hostile. Never been done. Will never be done well, and certainly not right now: that's what "general purpose" means. You don't know what the system will be used for, so you cannot limit its functionality in one area without encountering unexpected side effects.
The draconian US DMCP act nonwithstanding, security for even a single-purpose device over which you relinquish physical control (say, an authentication token or cable decoder) will be compromised. Add the orders of complexity in a PC, and I'm afraid Gutman is just scratching the surface. With all due respect to the skilled and dedicated Microsofties, the attack surfaces are huge and inviting, the number of parties involved who have to understand and want to do right is massive, and no amount of circuit board design rules, driver revocation WGPA or forced O/S updates can do more than stem single points of leakage, at enormous cost (in the general sense) to usability and trust from the end users, with little benefit to copyright holders.
The more I reflect on it, the more it seems MS is engaged in a double game of security theatre vs content providers from the marketing guys, and engineering pipedream vs the marketing guys from developers mislead by the intellectual fascinations of public key cryptography.
So, from my quick read of this article, I have learned that Vista is going to degrade the "user experience" for people who already have high-end audio and video equipment attached to their PCs. It is likely to degrade the experience for gamers too, at least initially, and then drive up the cost of premium video cards. It seems to me that this is a really good way to piss off a huge portion of the early adopters.
Actually, as a convinced GNU/Linux and OpenBSD user I find these developments quite amusing. In fact I don't pity anyone who is affected by this mess. I have stopped comforting MS Windows users a long time ago and simply advise them to use a Free/Open Source operating system or maybe even buying an Apple, if they must (hey, I even own one myself...) - anything but Windows. The operating system sucks, the applications for this operating system suck (most of the time) and it's just a pain in the ass to maintain if your average Joe worked at it for a couple of months before with administrator privileges.
Concerning hardware and drivers: Anybody laughing at the OpenBSD folks for their Anti-Blob campaign should finally wake up and help increase the pressure on hardware vendors to release the necessary information to write open drivers.
And regarding the commentary Bruce linked: interesting though I'm resisting to taking the guy's site seriously after reading the "about" page...
One man's ramblings, possibly entirely bogus:
o If I'm blind and use a screen reader, audio degradation or disablement may mean a great deal to me.
o If I use a (legally purchased) image from a movie as my "wallpaper", does that count as displaying "premium content" *all the time*?
o If I'm a corporate user on a shared computer (Citrix or what-have-you), and some other user is using premium content (as part of his/her job), does Vista degrade all of my usage as well (I think it would), or does it just put Citrix out of business?
o I've read about people reading a display's content from a distance using the RF output of the monitor or video card, or some such. Would Vista DRM protect against this? If you could get the signal at all, it'd be completely passive, right? so no "tilt bits". And again, if it worked at all, presumably you could so the same with the sound card.
o Do air traffic control computers run Windows? *shudder* Hospitals? Nuclear power plants? Stock exchanges? Banks? Insurance companies? 911 and other emergency response centers? Telephone companies? Could a Black Hat not cause just a *teensy* bit of havoc by spoofing a single device driver revocation at a single institution? (Assume the Black Hat in question has the resources of, say, Iran, North Korea, or China, and they target, say, the New York Stock Exchange. "Gosh, suddenly 30% of the monitors at the NYSE went black. How'd that happen?")
@Larry, some answers
1. No - If you are using a screen reader you are unlikely to be playing audio, let alone hi-def premium audio, at the time, so won't mean a great deal. The speech output from the reader isn't premium content so it won't be affected.
2. No, images aren't premium content. Only HD-DVD's and BlueRay movies are premium content.
3. No - you just wouldn't be able to watch the movie over Citrix, if not only for the sheer amount of network traffic that would be required. Whether your shared computer would have any grunt left to run a Citrix session after decoding hi-def content is another matter.
4. Yes, although only possible with CRT's. The picture obtained would be such bad quality that it wouldn't be worthwhile. You'd get better results using a camcorder pointed at an LCD screen.
5. I dunno what systems ATC ... uses, but as Driver revocation only affects a computers ability to play premium content (i.e. HD-DVD / Blu Ray) this wouldn't be a problem (If AT Controllers *are* watching movies while on the job then you probably have more serious problems). And before you ask medical imaging/scans wouldn't be affected by driver revocation as it isn't premium content.
What drives me around the bend with all this talk of what the OS will do in such and such a case, is that there seems to be the implicit assumption that whatever the OS chooses to do will be according to the conditions the designers expected. I.e., they are all-seeing and all-knowing, and have predestined what is to happen. Instead of say, educating users and giving them the power to make intelligent choices based on the situation at hand. In military terms (and company management one would think), this is equivalent to denying the commander on the scene power of action according to his judgment, or disbelieving Clausewitz and others who made such famous remarks as "no plan survives first contact with the enemy".
"although only possible with CRT's"
Untrue. See Markus Kuhn's website, specifically his papers on compromising emanations. There is one paper written specifically to address this issue on flat panel displays as well.
It occurred to me after reading Gutmann's article: How convenient for MS that these new Vista-related hardware requirements will have the side effect of "eliminating Open-source hardware drivers". So, even as desktop linux becomes more attractive to the masses, it will become less and less likely to work on their PCs, due to the penetration of Vista-compliant hardware.
I'm sure that this outcome never even occurred to our friends in Redmond. If it had, I'm equally sure they would be distressed. But, of couse, their hands are tied. In order to "protect premium content", they simply must insist on these requirements.
Has anyone found a good rebuttal to this yet?
So, in short, a brief summary...
To all holders of MSFT stock:
SELL! SELL! SELL!
Rebuttal now up -
As Guttman was claiming that this content protection would de-stabilize your computer even if you never played protected content, this seems to have been refuted.
Driver revocation, tilt bits, image constricting and encrypting the PCIe bus only happen when you play premium content, and can only affect the content being played. If you're worried about all this don't play HD-DVD's on your PC, play them on your 50 USD Chinese HD-DVD player.
Ideas that your graphics card can be turned off remotely by Redmond, or that accidentally playing a web page with 'protected' content in the background will cause medical images to be degraded are plain incorrect.
Concerns about Audio and Video editing in Vista are unfounded as their content is unprotected and will not go through the protected video path. And if AAC is properly cracked then HDDecrypter.exe is unlikely to use a protected video path / HDCP montior is it?
Points about this open source graphics drivers are a bit more ambiguous, but it seemed graphics drivers were moving towards a closed source model anyway. And there is nothing stopping graphics manufacturers from producing non-HD-capable cards for the business market so it isn't going to drive up all hardware prices.
Having said this, *if* you want to play protected content legally then I think there will be pain.
People will be frustrated by the graphics card and monitor compatibility, and there is every chance that the 'Protected Video Path' will not work as smoothly as intended. Even now HDCP is causing problems with standalone players. And even if it all works concerns that you are no longer trusted on your own computer are valid.
However you can quite happily use Vista and not be affected by the 'content protection' at all.
If you thought Microsoft was going to be able to stop the draconian restrictions on HD-DVD then the think again - their biggest market is in standalone players rather than people playing the movies on their PCs so they could do without Microsoft if they desired. I don't believe Apple will be immune, although they'll probably roll it out on new iMac's and rely on its physical design to
In conclusion, there are issues with the DRM in Vista but if you never play protected content you will never experience them.
looks like my "handwaving" was more accurate than Gutman's research.
Looks like it's been updated to deal with the "rebuttal"
[…] Unblanking the Blank Screen “Some of us can use the blank screen to scare the proverbial pants off ourselves imagining how […]
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.