Archive for the ‘Usable’ Category

Debate on Cost Analysis of Windows Vista Content Protection

Friday, January 26th, 2007

Well, I’m using the term “debate” loosely here because it seems to me, given the marshalled evidence, there isn’t much of a debate to be had, but in any case, Microsoft has responded to Peter Gutmann‘s cost analysis of the DRM subsystems in Windows Vista (of which I’d written about earlier), and also in system hardware that has anything to do with handling of so-called “premium content” (i.e. content encoded onto newly emerging HD-DVD and Blu-Ray discs). Their reply is here..

Windows Vista Content Protection – Twenty Questions (and Answers)
http://windowsvistablog.com/blogs/windowsvista/archive
/2007/01/20/windows-vista-content-protection-
twenty-questions-and-answers.aspx

Peter Gutmann’s rebuttal to Microsoft’s response is here..

Microsoft’s Response
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html#response

..which is an appendix of his overall “Cost Analysis of Windows Vista Content Protection” paper.

If you are at all curious as to the veracity and logic of Microsoft’s response, it is worth reading Peter Gutmann’s response in detail.

A Cost Analysis of Windows Vista Content Protection

Thursday, December 21st, 2006

Peter Gutmann has just published a fairly detailed examination of Windows Vista Content Protection. It is highly recommended reading in that it has non-trivial implications for essentially all personal computer users of any stripe…

A Cost Analysis of Windows Vista Content Protection
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt

Note that this analysis dovetails with Bruce Schneier‘s overall “DRM is futile” piece from 2001…

The Futility of Digital Copy Prevention
http://www.schneier.com/crypto-gram-0105.html#3

And also it has been coming for a while. Here’s a Microsoft doc from early 2005 that goes into fair detail describing the DRM-driven system workings that Peter analyzes…

Output Content Protection and Windows Vista
Updated: April 27, 2005
http://www.microsoft.com/whdc/device/stream/output_protect.mspx

..although interestingly enough, technorati lists only 13 references to it in their view of the blogosphere. Perhaps this upcoming train wreck isn’t all that widely perceived.

To me, Microsoft’s introduction of this level of bizzare complexity into the hardware and software platform, simply tends to reinforce the refrain of one of my colleagues: “I ain’t going anywhere near Vista.”

Seems like I’ll have to sooner or later get around to experimenting with bringing up Ubuntu and/or CENT/OS and evaluating what it’ll take to migrate my environment over to one of them. Oh, yeah, and get my hardware upgraded sooner rather than later here so that it hopefully won’t have this foolishness in it. I wonder how long into the future XP will be supported?

[update 25-Dec-2006]

Peter has updated his analysis paper to provide pointers to publicly available sources.

SSO / Single Sign-On (read: Simplified Sign-On)

Wednesday, June 7th, 2006

The term “Single Sign-On”, and/or it’s typical acronym “SSO”, is used all over the place — for example in piles of specifications from various SDOs (Standards Developing/Development Organization) and other orgs (eg corporations, .edu world, government, etc). Does anyone — including the authors of said specifications — actually believe that a person would ever have a single set of credentials that they wield everywhere?!#%$^

I don’t believe most folks actually believe that. However, this discussion is decidedly NOT over. I too had thought it was — but then I was recently talking with another security protocol professional who was thinking that we, in the SSTC, were being presumptuous because we employed the “SSO” term, and he thought we were taking it literally, as in “single sign-on”. Which of course we don’t, and are not doing.

Rather, what most everyone appears to acknowledge, including us in the SSTC is that people will end up with some finite set of credentials, or personas, or identities (or whichever word you want to use according to the taxonomy/lexicon to which you subscribe), where the number of credentials is likely > 1 for any given person (but doesn’t have to be of course, it is zero for a lot of people on the planet as yet (in terms of the Internet)).

Note that this is the situation we’re in today, however those of us “in the know” create a new set of creds (eg username & password) for most every Internet site with which we establish a relationship. However, the hope of those of us behind various SSO technologies (e.g. SAMLv2) is that given deployment of these technologies, netizens will gradually have the option to maintain fewer credentials (aka personas) to wield with the sites/services we utilize. Thus our lives will be at least somewhat more simple and thus this interpretation for the “SSO” term. QED, etc.

So where does that leave the term represented by “SSO”? Personally, I subscribe to it’s real-life meaning being:

simplified sign-on

The perspective here being that (hopefully), given the emerging SSO-enabling technology (e.g. SAMLv2, Identity Web Services, etc.), it will begin to be deployed such that most all of us Netizens will have the opportunity to simplify our lists of site login credentials (I have > 80 last time I counted) and (hopefully) arrive at a more manageable number of credentials (aka personas) where n < 20 and hopefully for those who really want to, have n < 10. The foregoing quantities are just my personal off-the-cuff estimates, YMMV.