NGSCB, aka Palladium, in next generation of CPU, says Gates

And it'll be a hardware ID world, real soon now...


Microsoft's Next Generation Secure Computing Base (NGSCB, aka Palladium) will be built into the next generation of CPUs, Bill Gates claimed yesterday, effectively making security via hardware ID an integral part of the Windows PC platform. And Microsoft is talking to the chip and PC companies about the introduction of hardware ID, so we will likely be seeing some decidedly NGSCB-like features well ahead of Longhorn.

Bill has a talent for what Lady Mary Archer has described as "imaginative precis", so we can never take his presentation material as absolute gospel. It is however extremely valuable in determining where it is that Microsoft wants us to go tomorrow, and how Microsoft proposes to get us to go there. This time around, the security imperative figures high in the company's drive to wrest what remains of your control of your computer from you. Over to Bill, and we'll unpick as we go:

"Another enhancement that hasn't been talked about very broadly is the fact that the next generation of processors will build in a new security capability called, kind of obscurely [remind us who it was who renamed Palladium, Bill], Next Generation Secure Computing Base, or NGSCB is the acronym for that. What that does is it allows you to still run arbitrary third-party software to be able to make security guarantees, that the decryption keys and some software is running in such a way that third-party software is isolated from it."

As is so often the case with Bill, you just about know what he means, as opposed to what he said. What he means here is that NGSCB machines will still run standard software, ringfenced off from the secure components, but its point is that it uses the secure components and software to establish trust relationships. Check here for a longer explanation of what NGSCB is, and how it will operate. Note also that although it is not DRM, it is a very useful base for DRM systems, while the S-word is a very useful cover for such systems.

If the particular next generation of processors Bill is talking about makes it to market before Longhorn, then it's perfectly feasible that at least some of NGSCB can be catered for before Longhorn. Microsoft has never specifically said that NGSCB is a Longhorn product, just that it's a long-range product. The hardware ID component of NGSCB was initially intended to use a TCPA-compliant chip on the motherboard, and this can still happen to enable more immediate secure systems, while getting it onto the CPU itself will allow Microsoft to make NGSCB into a standard. Call it DRM, people will run, call it security, then maybe not.

Microsoft is calling it security. If we go back to Bill's presentation and focus on SP2, we get:

"So we have an update to the client that turns the firewall on by default. It's got changes in Outlook Express and IE for safer e-mails and browsing [we expect he doesn't mean Mozilla by this]. It uses some of the new hardware features in the newer chips to block a large class of exploits. It changes the way we do some of the code protection. We recompile a lot of the key modules. That goes into the beta later this year, SP2."

We shouldn't read too much into that, because Bill isn't being specific either about what these new hardware features are, or how Microsoft is going to use them. It does however signal that security-driven changes in hardware are being introduced now, as part of an ongoing ramp, rather than being something that won't happen until 2005-6. Speaking about NGSCB in his own presentation, which followed Gates', Jim Allchin said "we're working with the hardware vendors to be able to create a system so that we can boot and ensure that we're booting securely and that we can create shadowed memory where code can execute but you can't debug it." Note that he says hardware vendors, not CPU vendors, so we have Microsoft, the chip companies and the PC companies all talking about the introduction of hardware security.

Gates himself had a couple more nuggets. In his speeches lately he's taken to complaining that one of today's big problems is anonymous email, so we don't know who's really sending it. Yesterday was no exception:

"We have a number of things that are weak links in the security picture. Passwords over time will not be adequate to deal with critical information. The fact that e-mail, you don't really know if it came from the person it appears to come from, and even the fact that Internet packets can be spoofed, so at many levels of the standards that we have we need to add security capabilities."

From Microsoft's perspective the solution here is clearly hardware ID, supported by Microsoft software. This clearly has implications for the rest of us, and it would possibly be useful to consider the implications of the elimination of anonymity, which seems to be what is being proposed, now, and for Microsoft to start sharing with us its security-driven plans for amendments to Internet standards. But don't hold your breath.

Microsoft's intentions to switch on the XP firewall by default, and to upgrade it to deal with outgoing as well as inbound traffic, are fairly well known. But it also has rather more wide-ranging plans; what about this, for example:

"And when I say firewall, I mean that in a very broad sense. I mean scanning files that come through e-mail or FTP, I mean being able to look at a machine that's been connected up to the Internet and, when that machine VPNs in, being able easily to scan it to make sure it doesn't have a problem and that software is up to date, or perhaps taking that same machine and carrying it in to the corporation and connecting it up, then it's behind the firewall again that needs to be scanned."

Bill clearly means firewall in a very broad sense indeed - compulsory but easy to conduct full body searches on machines connecting to the network are obviously going to be attractive to the corporate market, but if the technology can do it there (probably with the aid of hardware ID, again), then it surely won't stop there. You could envisage submitting to the body search and taking your nice patches as being the entry tab for all sorts of connections, and you could see Windows as becoming pretty much compulsory for such scenarios, considering it's such a tricky call for what rivals there are.

These will be faced with the question of whether to agree with, and follow, Microsoft or to stay out and risk having the security can tied to their tails. Or to join forces and invent a rival "open" hardware-linked rights-denial system. Ah, you say, but haven't previous attempts in this kind of area been stymied by indignant consumers? Has not Intel already had to climb down over unique IDs? Hasn't Microsoft?

Well, yes indeed, but that was then and this is now. Consumers are currently outraged by security breaches, spam, virus attacks, ID theft, and most people are blaming Microsoft for much of this. But most people would also like something done, and will tend to agree that new technologies that get that something done are A Good Thing. So if Microsoft plays its cards right it can move from the position of hesitating over their introduction to acceleration. And then untie the security can from its own tail and hand it to whoever's objecting. Arguing against it will be a lot more difficult than it has been in the past, and ignoring it may not be an option, if you're going to end up ignoring the bulk of the market by doing so.

Microsoft is seeding it slowly into its own presentations now, and if we don't start objecting now, then soon we could discover it's too late. ®


Other stories you might like

  • IT staffing, recruitment biz settles claims it discriminated against Americans
    Foreign workers favored over US residents because that's what clients wanted, allegedly

    Amtex Systems Incorporated, an IT staffing and recruiting firm based in New York City, has agreed to settle claims it discriminated against American workers because company clients wanted workers with temporary visas.

    The US Department of Justice on Wednesday announced the agreement, which followed from a US citizen filing a discrimination complaint with the DoJ's Civil Rights Division’s Immigrant and Employee Rights Section (IER).

    "IT staffing agencies cannot unlawfully exclude applicants or impose additional burdens because of someone’s citizenship or immigration status," said Assistant Attorney General Kristen Clarke of the Justice Department’s Civil Rights Division, in a statement. "The Civil Rights Division is committed to enforcing the law to ensure that job applicants, including US workers, are protected from unlawful discrimination."

    Continue reading
  • Will this be one of the world's first RISC-V laptops?
    A sneak peek at a notebook that could be revealed this year

    Pic As Apple and Qualcomm push for more Arm adoption in the notebook space, we have come across a photo of what could become one of the world's first laptops to use the open-source RISC-V instruction set architecture.

    In an interview with The Register, Calista Redmond, CEO of RISC-V International, signaled we will see a RISC-V laptop revealed sometime this year as the ISA's governing body works to garner more financial and development support from large companies.

    It turns out Philipp Tomsich, chair of RISC-V International's software committee, dangled a photo of what could likely be the laptop in question earlier this month in front of RISC-V Week attendees in Paris.

    Continue reading
  • Did ID.me hoodwink Americans with IRS facial-recognition tech, senators ask
    Biz tells us: Won't someone please think of the ... fraud we've stopped

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by ID.me regarding the facial-recognition technology it controversially built for Uncle Sam.

    ID.me made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, ID.me said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute, hence the coalition's application [PDF] this month to the Supreme Court.

    Continue reading

Biting the hand that feeds IT © 1998–2022