Technocrat

A roach motel for your data

lars
Wed Dec 06 05:17:06 -0800 2006
Freedom
manage

The arrival of MS Windows Vista escalates what had been a purely theoretical problem of data control into a real and present risk that should be head on in your radar. Digital Restrictions Management technologies combined with the Digital Millenium Copyright Act (DMCA)/European Copyright Directive (EUCD), Trusted Computing Platform Module (TCPM) hardware, and Windows Vista, combine in a way that makes it possible for external parites to hold your data hostage in MS Office.

Doctorow concludes, "The Trusted Computing Module has sat silently on the motherboard for years now. Adding Vista and IRM to it is takes it from egg to larva, and turning on remote attestation in a year or two, once everyone is on next-generation Office, will bring the larva to adulthood, complete with venomous stinger."

A roach motel for your data
Clay Barnes
Wed Dec 06 05:44:08 -0800 2006
 manage
This is the very thing that I found so terrifying that I had to switch to open source. I mean... *honesly* doesn't this scare everyone shitless? Why can't I get my friends and family to see the danger here and switch?
A roach motel for your data
Kevin Otte
Wed Dec 06 08:23:24 -0800 2006
 manage
Because your family wants things to "just work".  You'll have to find some way to explain the dangers that relates to their lives more directly.  Until that happens, they'll be happy to buy whatever shrinkwrapped goodness that lets them e-mail pictures back and forth.
A roach motel for your data
jeremiah foster
Wed Dec 06 07:35:45 -0800 2006
 manage
What about the competing model? If you use Google Spreadsheets for example all your data is already on their servers, no need for them to scoop it up. Same with your mail, web searches, photos, etc.
A roach motel for your data
President4242
Wed Dec 06 14:14:05 -0800 2006
 manage
Ok, I understand from a hackerish, information must be free model, why this would be a bad thing.  But from a super-secret anti-corporate espionage standpoint, this seems like a highly attractive and good thing.  It occurs to me that customers that live in paranoia will pay for this "feature"- and that there will be a lack of customers willing to pay extra in business lines that aren't so paranoid.
A roach motel for your data
zotz
Wed Dec 06 18:25:19 -0800 2006
 manage
"It occurs to me that customers that live in paranoia will pay for this "feature"- and that there will be a lack of customers willing to pay extra in business lines that aren't so paranoid."

That may be but why would anyone paranoid and informed trust Microsoft with that much power and access over their information / data.

all the best,

drew

From a business point of view, you lose control of your data and others gain access to it

lars
Thu Dec 07 00:49:08 -0800 2006
 manage

From a business point of view, and even that of an agency or private citizen, you A) lose control of your data and B) others gain access to it at least in part. Originally trusted computing was about you deciding which programs and data can be used. However, as it has been now implemented it is about third parties deciding. Even reading a little about it you can spot the problems. Try two thought experiements:

Loss of control

Let's say the technology behind the digital restrictins works perfectly in that does exactly what it advertises. Authentication, authorization, and access controls cannot be avaialble to you or else they can be circumvented. Caching cannot be allowed because the roles might change or could be exploited say as a replay attach, among other things. That means that at least part of the mechanism must reside off of your machine.

So even if there aren't any other problems, you have introduced a single point of failure in two places. First is the authentication, authorization and access system which you need to create, move, copy, erase, read, write/edite, print, listen to, mail parse or otherwise use a document. The second place is in the network used to stay in contiuous contact with the authentication, authorization and access system. When you lose contact or the service does not respond that means that for a while you cannot do anything with your own data.

If you, a worker, or anyone else is locked out for ten minutes, it does not mean that ten minutes are lost. People are machines, they have trains of thought to recover, schedules to keep, priorities to follow and do get stressed when things fail to work. So, for example, working for twenty minutes and then getting locked out for five could mean that you must stop working on that for the day to catch a meeting or other activity and then it may take at just as long to figure out where you left of.

Third party access to your data

Third party access is more of a concern for businesses and the public sector, though even individual citizens ought to have their dander up at least in principle.

Simply put, if the system is out of your hands you don't know, can't know, who or what has access to your data. But you can bet that if an authorized third party and/or unauthorized evil 'hackers' can figure out how to get at it, then you can bet that competitors have figured out ways to do so as well. Corporate espionage is bigger from some countries than others, but it's real and it costs.

However, even without finding or bribing a way in to the data, just the phone home requirements of the authorization and accesss systems give a lot of information to competitors. I'll consider that it's not necessary to explain the intelligence value of mapping social networks, but will point out that the same value can be had of mapping contacts within industry or government. You give that information away when spreading or using DRM'd documents because of the inherent need the system has in checking on authorization and access.

It all comes down to trust

mcrbids
Wed Dec 06 22:10:28 -0800 2006
 manage
My company is a vendor of a hosted software application, so perhaps my perception is colored - all the data we host for our clients is encrypted to begin with, and that's a feature that we tout! (if our client's mobile laptop system with sensitive data gets stolen, it's not a security compromise, thus doesn't have to be reported)

Software is rapidly polarizing - those who choose to be "in the know" use free or open-sourced software. They pay the price to know, understand, and maintain their information systems. Those who'd rather not bother are increasingly turning to managed solutions, often involving the use of DRM. Windows Vista marks another milestone in that polarization. The spread of ASP software solutions is another, as is the founding of RedHat, and the founding of the GNU foundation.

Free software scales nicely - one admin can manage services for hundreds or thousands of users, so why make end users  into administrators? Why not outsource the administration of your systems? Money is a very important form of information, and we've outsourced the management of it to banks for hundreds of years.

As stated before, in our company, DRM is part of the equation - it's a hosted application, and we take care of things so that our clients don't have to. We do the backups every night. We maintain a high-availability hosting environment. We provide updates to the software for free. We charge about the same as our competitors, and have generous SLAs in our contracts, as well as a strong privacy clause.

It's important to know who/what you are dealing with. I do not trust Microsoft's vision of "Trusted Computing" - I moved to Linux years ago, and have never looked back with anything but satisfaction. As CTO, our company has been built with 100% Linux infrastructure, and it's just been wonderful.
 

Do you have questions about the site? Write to bruce at perens.com . List of all articles we've ever published. Source Code Developer's Documentation RSS XML Sitemap XML News Sitemap Valid XHTML 1.0 Strict Valid CSS! [Valid RSS]