Saturday, January 13, 2007

Vista "suicide note" researcher interview on Security Now

The excellent Security Now podcast just aired an interview with Peter Guttman, the security researcher who wrote the celebrated "A Cost Analysis of Windows Vista Content Protection" (this is the paper whose "executive executive summary" read simply, "The Vista Content Protection specification could very well constitute the longest suicide note in history").

Guttman has really dug into the crazy extremes that Vista -- the next version of Windows -- goes to in order to restrict how you use high-definition video. The operating system has been essentially rendered useless by a set of deliberately introduced malfunctions. For example, the if your computer detects erroneous data in its registers, or voltage fluctuations (both of which are typical of PCs whose parts have been manufactured by dozens of companies), it will restart major subsystems, hanging up while it flushes all your data -- just in case those errors were part of a hack-attack on the system.

Vista is a disaster. Microsoft is so desperate to get the entertainment industry locked into its platform that they'll destroy themselves to get there. This is an operating system that, when idle, will have to check itself every 30 microseconds to make sure nothing is still happening, and no hackers are attacking it. It acts like an unmedicated paranoid. If Vista catches on, hundreds of millions of computers will be burning heptillions of cycles and tons of coal just making sure that no one is putting a voltmeter on the traces on its motherboard.

And those are its good points.

And what it means is that so many aspects of our PCs, which have been fully documented, been public domain, been anyone could develop a display card, for example, that’s no longer the case. If you’re going to have any foot in this next-generation game, you have to sign up and apparently pay hefty license fees just to participate. And if you don’t get certificates, which are subject to spontaneous revocation, if you then subsequently misbehave, or in fact I read one of the AACS organization documents said that you could be revoked if you failed to pay your annual dues.
Link

See also:
Great information-security weekly podcast
Windows Vista: Suicide notes, nerdcore rap MP3