Feeds

Microsoft reveals hardware security plans

Concerns remain

  • alert
  • submit to reddit

Boost IT visibility and business value

Can trusted computing hardware deliver security without locking out competition, asks SecurityFocus's Robert Lemos.

The next version of Windows, codenamed "Longhorn," will have security features to take advantage of the trusted computing hardware now showing up in the marketplace, Microsoft executives announced on Monday.

The software giant plans to deliver encryption features and integrity checks to insure that computers, such as notebooks, that are disconnected from a network are not affected by malicious programs. Called Secure Startup, the feature will appear in Microsoft's forthcoming version of its operating system, known as Longhorn, and represents a much smaller subset of the security features that the software giant had originally intended to build into the system software.

"We remain fully committed to the vision of creating new security technology for the Microsoft Windows platform that uses a unique hardware and software design to give users new kinds of security and privacy protections in an interconnected world," Selena Wilson, director of product marketing for Microsoft's Security Business and Technology Unit, said in statement. "The changes we are making can be characterized as an evolution of that original vision."

Secure Startup will combine full-volume encryption, integrity checks and the hardware-based Trusted Platform Module (TPM) to detect malicious changes to the computer and protect the user's data if the laptop is stolen, the software giant stated at its annual Windows Hardware Engineering Conference (WinHEC). The Trusted Platform Module is a standards-based hardware design created by the Trusted Computing Group, of which Microsoft is a member. (SecurityFocus's parent company, Symantec, is a contributing member of the group.)

While the technologies, once known as Palladium and now called the next-generation secure computing base (NGSCB), will help companies and consumers lock down their computers and networks, concerns remain that the hardware security measures could also be used to lock-in consumers to a single platform and restrict fair uses of content.

With homegrown integrity and security features being added by a variety of devices by companies aiming to lock out competition using the Digital Millennium Copyright Act (DMCA), the specter of another hardware-based security feature worries some information-system experts.

Innovation could suffer if reverse engineers are locked out from tinkering with devices, said Dan Lockton, a graduate student at the University of Cambridge whose thesis focuses on the effects of technologies created for controlling information.

The fear is that "we're moving to a stage where the customer no longer has control over the product he or she has bought or the products (created) using that device," Lockton said.

Printer maker Lexmark attempted to block generic ink cartridge makers from reverse engineering its simple hardware security scheme for validating legitimate cartridges. A federal appeals court overturned in October an initial win for Lexmark and allowed chip-maker Static Control to continue making the chips that made generic ink cartridges compatible with Lexmark printers.

"It is definitely clear that some of the content owners themselves are trying to use the technology to erode some of the fair use allowances that have historically been granted by the courts," said William Arbaugh, assistant professor of computer science for the University of Maryland at College Park. "We have to be vigilant in order to stop that tactic."

The Electronic Frontier Foundation, an Information Age civil rights group, has also criticized the technology as potentially undermining fair use rights.

However, Microsoft's Wilson stressed that the software giant intends to increase user security, not reduce the control the user has over their computer.

"We have always been very clear that NGSCB was never designed to be a system that would 'lock-in' users or decrease the flexibility of the Windows computing experience," she said. "Our vision has always been to provide benefits in terms of security, privacy, and system integrity while preserving the flexibility of Windows."

If Microsoft - and more importantly, third-party content providers - give consumers full control over how the technology is used in their systems, the security benefits could significantly increase the protection of PC data, the University of Maryland's Arbaugh said.

"This technology could be used for some really heavy handed digital-rights management (DRM) but it can also be used for some great improvements in security," he said. "I think finding that sweet spot will be a technical challenge as well as a policy challenge."

Copyright © 2005, SecurityFocus logo

Application security programs and practises

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.