Watch for the sell out by AMD and Intel.

AMD and Intel have included a "secure" private area on the cpu you
purchase so that Microsoft can make your computer "secure" from you.

Here is an article in The Register about what NX will do for you:

http://www.theregister.co.uk/content/4/33729.html

This article talks about the NX bit set that sets off a "secure" area
in the CPU so that Microsoft can impliment for "Next Generation
Secure Computing Base" aka Palladium and this is to be a "feature" on
all new CPUs in the pipe and on current Itanium and AMD64 CPUs. The
cynic would say that this was admission for Microsoft to rewrite to 64
bit code.

Here is a blurb from Microsoft about NGSCB:

http://www.microsoft.com/resources/ngscb/default.mspx

The two really bad things for the PC buyer is that you buy a PC and
it's your property but billg and friends are the only ones to get
admin on it so your PC now becomes an appliance and access is
ultimatly controlled not by you but by Bill & Co. The other really
bad thing is that now every PC with NX and XP SP2 or newer OS ( with
Longhorn ) will have it's own unique ID that can be remotely
manipulated. This lends itself nicely to unpopular things like
software and hardware expiration and monitoring for bad things like
music that is not approved of on your fixed disk.

THX

On 11 Nov 2003 12:30:43 -0800, thx1138@gibweb.net (THX1138) wrote:
Watch for the sell out by AMD and Intel.AMD and Intel have included a "secure" private area on the cpu youpurchase so that Microsoft can make your computer "secure" from you.Here is an article in The Register about what NX will do for you:http://www.theregister.co.uk/content/4/33729.htmlThis article talks about the NX bit set that sets off a "secure" areain the CPU so that Microsoft can impliment for "Next GenerationSecure Computing Base" aka Palladium and this is to be a "feature" onall new CPUs in the pipe and on current Itanium and AMD64 CPUs. Thecynic would say that this was admission for Microsoft to rewrite to 64bit code.Here is a blurb from Microsoft about NGSCB:http://www.microsoft.com/resources/ngscb/default.mspxThe two really bad things for the PC buyer is that you buy a PC andit's your property but billg and friends are the only ones to getadmin on it so your PC now becomes an appliance and access isultimatly controlled not by you but by Bill & Co. The other reallybad thing is that now every PC with NX and XP SP2 or newer OS ( withLonghorn ) will have it's own unique ID that can be remotelymanipulated. This lends itself nicely to unpopular things likesoftware and hardware expiration and monitoring for bad things likemusic that is not approved of on your fixed disk.THX


Is this just going to be another reason to push us to using Linux 100%
of the time and abandon Windows for good or are the Linux flavors doing
this too?

Ed

Ed wrote:
Is this just going to be another reason to push us to using Linux 100% of the time and abandon Windows for good or are the Linux flavors doing this too? Ed


I can't imagine Linux going down this road unless of course M$ convinces the
US gov that any OS not using this should be "illegal" and considered a
"terrorist OS"... I wouldn't be surprized if M$ pulls that off!
--

Stacey

On Tue, 11 Nov 2003 20:15:32 -0500, stacey <fotocord@yahoo.com> wrote:
Ed wrote: Is this just going to be another reason to push us to using Linux 100% of the time and abandon Windows for good or are the Linux flavors doing this too? EdI can't imagine Linux going down this road unless of course M$ convinces theUS gov that any OS not using this should be "illegal" and considered a"terrorist OS"... I wouldn't be surprized if M$ pulls that off!

They are certainly going to try. I don't know that Microsoft has
thought this one through completely. I'm a little worried about Bill
and Steve because they're showing signs of, um, stress.

With traceability comes liability. Microsoft protected by it's
infamous EULA's? Maybe. Wait until some EU gets hung out to dry
because of consequential damages caused by their hacked Windows box.

RM

Robert Myers wrote:
On Tue, 11 Nov 2003 20:15:32 -0500, stacey <fotocord@yahoo.com> wrote:Ed wrote: Is this just going to be another reason to push us to using Linux 100% of the time and abandon Windows for good or are the Linux flavors doing this too? EdI can't imagine Linux going down this road unless of course M$ convincesthe US gov that any OS not using this should be "illegal" and considered a"terrorist OS"... I wouldn't be surprized if M$ pulls that off! They are certainly going to try.

What they might try is to force ISP's to only allow "traceable" computers to
connect to their systems. Then again I can't really see that as what will
all the old hardware people do? I guess they could force people to upgrade?
Wouldn't be the first time that's happened.

--

Stacey

Ed <nomail@hotmail.com> wrote in news:95s2rv8psaf99jal4ug563lm5ar8oudq44@4ax.com:

Is this just going to be another reason to push us to using Linux 100% of the time and abandon Windows for good or are the Linux flavors doing this too?

Linux has started supporting DRM as Linus said its "politically corect thing to
do" :/ The good news is you can always rip your kernel off of that peace of sh**.

Pozdrawiam.
--
RusH // [502-20-14-27 tylko SMS]
http://kiti.pulse.pdi.net/qv30/ <-- to prawdziwy ja
Pent-up passive-aggressive dork alert! Whoop! Whoop!
Whoop! Whoop! Boy, you're really lighting up this alarm here!

In article <94be89da.0311111230.5cbde731@posting.google.com>,
thx1138@gibweb.net (THX1138) writes: Watch for the sell out by AMD and Intel. AMD and Intel have included a "secure" private area on the cpu you purchase so that Microsoft can make your computer "secure" from you. Here is an article in The Register about what NX will do for you: http://www.theregister.co.uk/content/4/33729.html This article talks about the NX bit set that sets off a "secure" area in the CPU so that Microsoft can impliment for "Next Generation Secure Computing Base" aka Palladium and this is to be a "feature" on all new CPUs in the pipe and on current Itanium and AMD64 CPUs. The cynic would say that this was admission for Microsoft to rewrite to 64 bit code.
I'm not sure if this is really DRM. It looks more like something that
should have been done long ago - you can define pages or RAM as
execute, as opposed to read or read/write. X86 was really kind of
brain-dead from the start for not doing this.

IIUC, this is a basic piece of hardware security that helps protect
all of us from buffer overflows, not a sinister DRM camel's-nose.

As long as it's documented. (not Appendix-H, either)
As long as I (or a kernel hacker I trust) can turn it on and off.

Dale Pontius

RusH wrote:
Ed <nomail@hotmail.com> wrote in news:95s2rv8psaf99jal4ug563lm5ar8oudq44@4ax.com: Is this just going to be another reason to push us to using Linux 100% of the time and abandon Windows for good or are the Linux flavors doing this too? Linux has started supporting DRM as Linus said its "politically corect thing to do" :/

He is correct. If linux didn't, M$ would just claim it's a "terrorists OS"
and try to make it illegal where ever they could. The good thing is with
linux being open source, disabling it shouldn't be an issue. Look at what
happened with the P3 "identity". People complained so loudly the Mobo
makers put a "disable" flag in the bios. I don't see why they wouldn't do
the same this time.

--

Stacey

Dale Pontius wrote:

IIUC, this is a basic piece of hardware security that helps protect all of us from buffer overflows,

If that is the case, that IS a good thing. Buffer overflows helps no end
user..

--

Stacey

dale@edgehp.invalid (Dale Pontius) wrote in message news:<inurob.age.ln@tomcat.edgehp.invalid>... In article <94be89da.0311111230.5cbde731@posting.google.com>, thx1138@gibweb.net (THX1138) writes: Watch for the sell out by AMD and Intel. AMD and Intel have included a "secure" private area on the cpu you purchase so that Microsoft can make your computer "secure" from you. Here is an article in The Register about what NX will do for you: http://www.theregister.co.uk/content/4/33729.html This article talks about the NX bit set that sets off a "secure" area in the CPU so that Microsoft can impliment for "Next Generation Secure Computing Base" aka Palladium and this is to be a "feature" on all new CPUs in the pipe and on current Itanium and AMD64 CPUs. The cynic would say that this was admission for Microsoft to rewrite to 64 bit code. I'm not sure if this is really DRM. It looks more like something that should have been done long ago - you can define pages or RAM as execute, as opposed to read or read/write. X86 was really kind of brain-dead from the start for not doing this. IIUC, this is a basic piece of hardware security that helps protect all of us from buffer overflows, not a sinister DRM camel's-nose. As long as it's documented. (not Appendix-H, either) As long as I (or a kernel hacker I trust) can turn it on and off. Dale Pontius

Very true, it's not DRM technically.

The relationship to DRM in the same way a shiney new bullett has to a
grimey Saturday Night Special with eletrical tape around the handle.

They key to this is the key, really.
The owner of the keys to which the NX instructions will be tied to and
used as the lock that controls access to any of the PC resources is
not the owner of the PC. The "consumer" takes a back seat to the
media monopoly, the software monopoly and pretty much anyone else who
pays the toll to M$.

The other catch is that it does not work unless they can:

A) Make it so you can't turn it off.
B) Make it so you can't turn it off, because you need it to access
some vital service.

This a M$ initiative, while it is nice to think that M$ would change
it's past history and document everything in proper manner like a real
software company should. You just know it's never going to happen
that way and what documentation there is will cost a ransom to M$ and
will have to be read under the "Dome of Silence", in the back room,
down the stairs, behind the door with a sign that says "beware of the
leopard".

THX

On Wed, 12 Nov 2003 01:31:32 -0500, stacey <fotocord@yahoo.com> wrote:
RusH wrote: Ed <nomail@hotmail.com> wrote in news:95s2rv8psaf99jal4ug563lm5ar8oudq44@4ax.com: Is this just going to be another reason to push us to using Linux 100% of the time and abandon Windows for good or are the Linux flavors doing this too? Linux has started supporting DRM as Linus said its "politically corect thing to do" :/He is correct. If linux didn't, M$ would just claim it's a "terrorists OS"and try to make it illegal where ever they could. The good thing is withlinux being open source, disabling it shouldn't be an issue. Look at whathappened with the P3 "identity". People complained so loudly the Mobomakers put a "disable" flag in the bios. I don't see why they wouldn't dothe same this time.

It's different now. The enemy (the evil businessman) has learned from
his mistakes, regrouped, formed alliances, and is attacking with new
strength. And all because some (many, actually) bad apples can't
understanding that stealing is wrong.

As Keith said, I don't feel the same way about needing locks and keys
on my car. That's because they don't invade my privacy and restrict
my rights.

Ed <nomail@hotmail.com> writes:
Is this just going to be another reason to push us to using Linux 100% of the time and abandon Windows for good or are the Linux flavors doing this too?

That's the beauty of having the source available. Even if every Linux
distribution followed this model (which is extremly unlikely), you
could still build your own kernel.
--
Joseph J. Pfeiffer, Jr., Ph.D. Phone -- (505) 646-1605
Department of Computer Science FAX -- (505) 646-1002
New Mexico State University http://www.cs.nmsu.edu/~pfeiffer
Southwestern NM Regional Science and Engr Fair: http://www.nmsu.edu/~scifair

chrisv wrote:
As Keith said, I don't feel the same way about needing locks and keys on my car. That's because they don't invade my privacy and restrict my rights.


Keys are different in that the people that are protected are the same ones
who are inconvinienced. i.e. have to keep up with the keys.

It will be like if you had to walk to the police station to get your own
keys to the car you paid for every morning to make sure the dealers cars
are protected from -you- because some people steal cars, obviously everyone
is suspect and as such you should be treated as a thief.
--

Stacey

In article <94be89da.0311120545.3b0394d7@posting.google.com>,
thx1138@gibweb.net (THX1138) writes: dale@edgehp.invalid (Dale Pontius) wrote in message news:<inurob.age.ln@tomcat.edgehp.invalid>... In article <94be89da.0311111230.5cbde731@posting.google.com>, thx1138@gibweb.net (THX1138) writes: Watch for the sell out by AMD and Intel. AMD and Intel have included a "secure" private area on the cpu you purchase so that Microsoft can make your computer "secure" from you. Here is an article in The Register about what NX will do for you: http://www.theregister.co.uk/content/4/33729.html This article talks about the NX bit set that sets off a "secure" area in the CPU so that Microsoft can impliment for "Next Generation Secure Computing Base" aka Palladium and this is to be a "feature" on all new CPUs in the pipe and on current Itanium and AMD64 CPUs. The cynic would say that this was admission for Microsoft to rewrite to 64 bit code. I'm not sure if this is really DRM. It looks more like something that should have been done long ago - you can define pages or RAM as execute, as opposed to read or read/write. X86 was really kind of brain-dead from the start for not doing this. IIUC, this is a basic piece of hardware security that helps protect all of us from buffer overflows, not a sinister DRM camel's-nose. As long as it's documented. (not Appendix-H, either) As long as I (or a kernel hacker I trust) can turn it on and off. Dale Pontius Very true, it's not DRM technically. The relationship to DRM in the same way a shiney new bullett has to a grimey Saturday Night Special with eletrical tape around the handle. They key to this is the key, really. The owner of the keys to which the NX instructions will be tied to and used as the lock that controls access to any of the PC resources is not the owner of the PC. The "consumer" takes a back seat to the media monopoly, the software monopoly and pretty much anyone else who pays the toll to M$. The other catch is that it does not work unless they can: A) Make it so you can't turn it off. B) Make it so you can't turn it off, because you need it to access some vital service. This a M$ initiative, while it is nice to think that M$ would change it's past history and document everything in proper manner like a real software company should. You just know it's never going to happen that way and what documentation there is will cost a ransom to M$ and will have to be read under the "Dome of Silence", in the back room, down the stairs, behind the door with a sign that says "beware of the leopard".
On first and second readings, I saw nothing about a 'key'. By my guess,
it's just something like a page attribute. Just like you can mark pages
read-write or read-only, you now can mark them read-execute. Then you
have to tell the OS that it should only execute code from read-execute
pages, and not execute code from read-only or read-write pages.

In essence, this means that a buffer overflow can still overwrite parts
of your stack, but it can't put executable code there, nor can it over-
write any of your executable code. So while not impossible, it becomes
tougher to do anything with a buffer overflow. You have to know where
some handy code has already been compiled, and how to craft an offset
into the buffer overflow to get there. Some Linux security patches can
randomize code loading addresses, making this type of attack practically
impossible. (other than as a Denial Of Service, by crashing the code)

The method does break some code, most notably JITs and trampolines,
where you build code on the fly, and then execute it. It's possible that
OS services could bring JITs back to viability, but I'd imagine that
trampolines may well be done for with NX.

Incidentally, there's an IBM'er who works with 'Trusted Computing', and
has quite a presentation that answers your worries. Still, he presumes
that control CAN be given to the user, and that you only have to 'go
trusted' when you want to access someone else's content. Of course
SOME implementations may not have the safeguards he describes. But in
his description, truly well design security hardware brings with it
empowerment of the owner, or at least the OS writer, and is not at all
inconsistent with Open Source. I don't have a reference handy, sorry.
But I saw it wandering around mainstream Linux places, if that's a
start.

Dale Pontius

dale@edgehp.invalid (Dale Pontius) wrote in message news:<l6puob.7ig.ln@tomcat.edgehp.invalid>... In article <94be89da.0311120545.3b0394d7@posting.google.com>, thx1138@gibweb.net (THX1138) writes: dale@edgehp.invalid (Dale Pontius) wrote in message news:<inurob.age.ln@tomcat.edgehp.invalid>... In article <94be89da.0311111230.5cbde731@posting.google.com>, thx1138@gibweb.net (THX1138) writes: > Watch for the sell out by AMD and Intel. > > AMD and Intel have included a "secure" private area on the cpu you > purchase so that Microsoft can make your computer "secure" from you. > > Here is an article in The Register about what NX will do for you: > > http://www.theregister.co.uk/content/4/33729.html > > This article talks about the NX bit set that sets off a "secure" area > in the CPU so that Microsoft can impliment for "Next Generation > Secure Computing Base" aka Palladium and this is to be a "feature" on > all new CPUs in the pipe and on current Itanium and AMD64 CPUs. The > cynic would say that this was admission for Microsoft to rewrite to 64 > bit code. > I'm not sure if this is really DRM. It looks more like something that should have been done long ago - you can define pages or RAM as execute, as opposed to read or read/write. X86 was really kind of brain-dead from the start for not doing this. IIUC, this is a basic piece of hardware security that helps protect all of us from buffer overflows, not a sinister DRM camel's-nose. As long as it's documented. (not Appendix-H, either) As long as I (or a kernel hacker I trust) can turn it on and off. Dale Pontius Very true, it's not DRM technically. The relationship to DRM in the same way a shiney new bullett has to a grimey Saturday Night Special with eletrical tape around the handle. They key to this is the key, really. The owner of the keys to which the NX instructions will be tied to and used as the lock that controls access to any of the PC resources is not the owner of the PC. The "consumer" takes a back seat to the media monopoly, the software monopoly and pretty much anyone else who pays the toll to M$. The other catch is that it does not work unless they can: A) Make it so you can't turn it off. B) Make it so you can't turn it off, because you need it to access some vital service. This a M$ initiative, while it is nice to think that M$ would change it's past history and document everything in proper manner like a real software company should. You just know it's never going to happen that way and what documentation there is will cost a ransom to M$ and will have to be read under the "Dome of Silence", in the back room, down the stairs, behind the door with a sign that says "beware of the leopard". On first and second readings, I saw nothing about a 'key'. By my guess, it's just something like a page attribute. Just like you can mark pages read-write or read-only, you now can mark them read-execute. Then you have to tell the OS that it should only execute code from read-execute pages, and not execute code from read-only or read-write pages. In essence, this means that a buffer overflow can still overwrite parts of your stack, but it can't put executable code there, nor can it over- write any of your executable code. So while not impossible, it becomes tougher to do anything with a buffer overflow. You have to know where some handy code has already been compiled, and how to craft an offset into the buffer overflow to get there. Some Linux security patches can randomize code loading addresses, making this type of attack practically impossible. (other than as a Denial Of Service, by crashing the code) The method does break some code, most notably JITs and trampolines, where you build code on the fly, and then execute it. It's possible that OS services could bring JITs back to viability, but I'd imagine that trampolines may well be done for with NX. Incidentally, there's an IBM'er who works with 'Trusted Computing', and has quite a presentation that answers your worries. Still, he presumes that control CAN be given to the user, and that you only have to 'go trusted' when you want to access someone else's content. Of course SOME implementations may not have the safeguards he describes. But in his description, truly well design security hardware brings with it empowerment of the owner, or at least the OS writer, and is not at all inconsistent with Open Source. I don't have a reference handy, sorry. But I saw it wandering around mainstream Linux places, if that's a start. Dale Pontius

Dale,

There is a section in an article on the subject in the 11/11 edition
of PC Magazine called "Where is Windows going?" by Michael J. Miller.

Even as pro-M$ as PC Mag is these days they say that the CPU will be
part of the Secure I/O in the first iteration of NGSCB in the likes of
XP SP2. Eventually NGSCB will have resources on all hardware in the
PC. Mainly the effect will be that your own PC will not let you run
content that is not "secure", most likely that means not secure form
you.

I don't think this is realted but IBM is a 4C Entity company. The 4C
Entity is responsible for coming up with storage crytography
techniques that can by keyed.

THX

In article <94be89da.0311150453.297f3ed5@posting.google.com>,
thx1138@gibweb.net (THX1138) writes: dale@edgehp.invalid (Dale Pontius) wrote in message news:<l6puob.7ig.ln@tomcat.edgehp.invalid>... In article <94be89da.0311120545.3b0394d7@posting.google.com>, thx1138@gibweb.net (THX1138) writes: dale@edgehp.invalid (Dale Pontius) wrote in message news:<inurob.age.ln@tomcat.edgehp.invalid>...> In article <94be89da.0311111230.5cbde731@posting.google.com>,> thx1138@gibweb.net (THX1138) writes:> > Watch for the sell out by AMD and Intel.> >> > AMD and Intel have included a "secure" private area on the cpu you> > purchase so that Microsoft can make your computer "secure" from you.> >> > Here is an article in The Register about what NX will do for you:> >> > http://www.theregister.co.uk/content/4/33729.html> >> > This article talks about the NX bit set that sets off a "secure" area> > in the CPU so that Microsoft can impliment for "Next Generation> > Secure Computing Base" aka Palladium and this is to be a "feature" on> > all new CPUs in the pipe and on current Itanium and AMD64 CPUs. The> > cynic would say that this was admission for Microsoft to rewrite to 64> > bit code.> >> I'm not sure if this is really DRM. It looks more like something that> should have been done long ago - you can define pages or RAM as> execute, as opposed to read or read/write. X86 was really kind of> brain-dead from the start for not doing this.>> IIUC, this is a basic piece of hardware security that helps protect> all of us from buffer overflows, not a sinister DRM camel's-nose.>> As long as it's documented. (not Appendix-H, either)> As long as I (or a kernel hacker I trust) can turn it on and off.>> Dale Pontius Very true, it's not DRM technically. The relationship to DRM in the same way a shiney new bullett has to a grimey Saturday Night Special with eletrical tape around the handle. They key to this is the key, really. The owner of the keys to which the NX instructions will be tied to and used as the lock that controls access to any of the PC resources is not the owner of the PC. The "consumer" takes a back seat to the media monopoly, the software monopoly and pretty much anyone else who pays the toll to M$. The other catch is that it does not work unless they can: A) Make it so you can't turn it off. B) Make it so you can't turn it off, because you need it to access some vital service. This a M$ initiative, while it is nice to think that M$ would change it's past history and document everything in proper manner like a real software company should. You just know it's never going to happen that way and what documentation there is will cost a ransom to M$ and will have to be read under the "Dome of Silence", in the back room, down the stairs, behind the door with a sign that says "beware of the leopard". On first and second readings, I saw nothing about a 'key'. By my guess, it's just something like a page attribute. Just like you can mark pages read-write or read-only, you now can mark them read-execute. Then you have to tell the OS that it should only execute code from read-execute pages, and not execute code from read-only or read-write pages. In essence, this means that a buffer overflow can still overwrite parts of your stack, but it can't put executable code there, nor can it over- write any of your executable code. So while not impossible, it becomes tougher to do anything with a buffer overflow. You have to know where some handy code has already been compiled, and how to craft an offset into the buffer overflow to get there. Some Linux security patches can randomize code loading addresses, making this type of attack practically impossible. (other than as a Denial Of Service, by crashing the code) The method does break some code, most notably JITs and trampolines, where you build code on the fly, and then execute it. It's possible that OS services could bring JITs back to viability, but I'd imagine that trampolines may well be done for with NX. Incidentally, there's an IBM'er who works with 'Trusted Computing', and has quite a presentation that answers your worries. Still, he presumes that control CAN be given to the user, and that you only have to 'go trusted' when you want to access someone else's content. Of course SOME implementations may not have the safeguards he describes. But in his description, truly well design security hardware brings with it empowerment of the owner, or at least the OS writer, and is not at all inconsistent with Open Source. I don't have a reference handy, sorry. But I saw it wandering around mainstream Linux places, if that's a start. Dale Pontius Dale, There is a section in an article on the subject in the 11/11 edition of PC Magazine called "Where is Windows going?" by Michael J. Miller. Even as pro-M$ as PC Mag is these days they say that the CPU will be part of the Secure I/O in the first iteration of NGSCB in the likes of XP SP2. Eventually NGSCB will have resources on all hardware in the PC. Mainly the effect will be that your own PC will not let you run content that is not "secure", most likely that means not secure form you.
I don't disagree with a thing you've said. I just don't think that the
subject of this thread is what you're talking about. I think the subject
of this thread is adding 'execute' attributes to pages, bringing out the
possibility for 'read, but not execute' pages, as well.

IMHO this is good, and computationally not a step down the slippery
slope.

But I'll grant that psychologically it may be a step down that slippery
slope for Joe Sixpak. Joe may well see that NX was good, (true) so more
'execution control' is better (false) and jump hook, line, and sinker
into a pool of Palladium.
I don't think this is realted but IBM is a 4C Entity company. The 4C Entity is responsible for coming up with storage crytography techniques that can by keyed.
I need to find the IBM'ers article on this. Trusted computing CAN be
done without losing trust in your own computer. The hardware the IBM'er
describes does exactly that. But it doesn't have to be done that why,
which is what he, you, and I (and others) all fear. It CAN also be
done in the sieze-control way you warn about. But it doesn't HAVE to be.

Dale Pontius