Feeds

Vista's Suicide Bomb: who gets hurt?

Mostly Wintel, we reckon

Providing a secure and efficient Helpdesk

Analysis So have fun fighting the battle against CPRM and alike but please do not be surprised when you fail, after all the war has been lost, long live the new world order: proprietary devices, proprietary interfaces, copy protection, limited functionality, and prepare you credit card accounts for all those monthly rental and service charges you will be paying for every "computer controller consumer electronics device" you use.

 - Hale Landis, March 2001

If you read just one thing over the holiday break, make sure it's Peter Gutmann's cost analysis of Windows Vista, that we noted here. It's an eye opening 20 minutes.

Gutmann describes in great detail the various measures Microsoft has taken to lock down Windows on behalf of Hollywood. This isn't a comprehensive look at all of Vista's DRM - Gutmann barely touches on Microsoft's new activation framework; this is beyond the scope of his enquiry.)

To recap: in order to playback HD-DVD and BluRay content, Microsoft agreed to degrade video and audio functionality in Windows. Gutman points out that when "premium" content is being played, component video - YPbPr - and S/PDIF interfaces are disabled. Third party hardware that fails to obey these orders may have its be "certified" status revoked by Microsoft - leaving the user with minimal (eg VGA) functionality.

Additional hardware specifications decreed by Microsoft, which are intended to alert the system that the "secure path" may have been compromised, open up a potentially devastating new vulnerability for net-connected PCs. As Gutman describes it -

Vista's content protection requires that devices (hardware and software drivers) set so-called "tilt bits" if they detect anything unusual. For example if there are unusual voltage fluctuations, maybe some jitter on bus signals, a slightly funny return code from a function call, a device register that doesn't contain quite the value that was expected, or anything similar, a tilt bit gets set. Such occurrences aren't too uncommon in a typical computer... Previously this was no problem - the system was designed with a bit of resilience, and things will function as normal. In other words small variances in performance are a normal part of system functioning.

This creates a new attack vector for malware:

Non-US governments are already nervous enough about using a US-supplied operating system without having this remote DoS capability built into the operating system.

With the introduction of tilt bits, all of this designed-in resilience is gone. Every little (normally unnoticeable) glitch is suddenly surfaced because it could be a sign of a hack attack. The effect that this will have on system reliability should require no further explanation.

In short, the Vista specifications explicitly cripple the PC. We say "specifications" quite deliberately, for in a sense this is a game of chicken.

This DRM only affects the playback of next-generation DVDs; which isn't a real problem for anyone quite yet: players cost $1,000 at the moment and there's next to no content available for them. In the coming few months, far more ordinary users will be affected by the DRM designed to prevent unlicensed use of Windows itself, than by these Hollywood mandates.

Nevertheless, Gutmann calls Vista multimedia DRM the "longest suicide note in history" - a phrase with some resonance to British voters [***].

This is evocative, but perhaps errs on the side of understatement. It may be more accurate to think of Vista's DRM as a suicide bomber waiting to go on his mission. For if and when Windows Vista optical multimedia DRM is activated, it destroys Windows Vista DRM reputation in the market as a multimedia playback device. The blowback will be felt most by Microsoft, the PC industry, and third party hardware manufacturers. In other words, the biggest loser would be the Windows market.

Quite rightly, Gutmann points out immediate disadvantages - such as the increased cost to hardware manufacturers who have been obliged to "secure" their digital pathways because Hollywood and the CE industry couldn't be bothered to secure their own. (The i/o interface S/PDIF is wide open). This is a cost which is passed on to consumers, whether we use the functionality or not.

DRM explodes - not many dead?

But if implemented, and the "big switch" is finally turned on, how much would it really matter?

Often discussions about DRM degenerate into self-serving hysteria about "the end of culture". So we're grateful that Gutmann took the time to state a fact so obvious, that it's often overlooked:

"If I do ever want to play back premium content," he wrote, "I'll wait a few years and then buy a $50 Chinese-made set-top player to do it, not a $1000 Windows PC. It's somewhat bizarre that I have to go to Communist China in order to find vendors who actually understand the consumer's needs."

Quite so. (I hardly think my "culture" is being thwarted when I can simply slip my over-priced next-generation DVD into an over-prived next-generation DVD player. Or download the file via Bittorrent.)

Compromising the open PC platform for the sake of playing back BluRay and HD-DVD simply nukes the PC in the consumer electronics market - but that's somewhere it arguably should never have been in the first place. Despite Wintel's best efforts, the PC makes for a lousy home entertainment hub. It's still too fussy, complicated and expensive: a case of technological overkill driven solely by the vendors, led by Microsoft and Intel.

Exactly six years ago, we broke the story of what was (and perhaps still is) the most nefarious stunt ever attempted on the open PC platform: the attempt to add CPRM into the specification for industry-standard hard drives, ATA. This provided a mechanism for content producers to lock down media to a specific machine, and would have arrived on the market by stealth. After the resulting outcry, the plans were dropped, and CPRM lives on as the standard DRM for removable flash media such as SD cards.

Consumers are now better educated, and we can be far more confident that a restricted PC will land on the market with a dull thud - and never be heard of again.

But some of the issues remain, not least for free software authors. As Richard M Stallman eloquently described it at the time:

"If users accept the domination of centrally-controlled data, free software faces two dangers, each worse than the other: [our emphasis] that users will reject GNU/Linux because it doesn't support the central control over access to these data, or that they will reject free versions of GNU/Linux for versions "enhanced" with proprietary software that support it. Either outcome will be a grave loss for our freedom."

But we'd be more confident if consumer groups and governments kept the manufacturers to a minimum standard of disclosure. For the market to arrive at an informed buying decision, it needs all the information.

So should Vista DRM require such technical counter-measures to play next-generation DVDs, then so be it: but these must be marketed as such.

And despite protests, Microsoft has proved itself perfectly able to produce a "reduced functionality" - in its own words - version of Windows on demand. It once cheerfully produced a version that didn't boot at all, for a US district judge.

Naturally, this reduced functionality version should be marketed separately. We suggest clear labelling - such as putting the shrink-wrap version in a BioHazard bag.

And the name? "Windows Vista SE".

For "Suicide Edition", of course. ®

Bootnote The phrase is attributed to right-wing Labour MP Gerard Kaufmann describing his party's 1983 election manifesto.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.