Report: MS plans security chip

Microsoft Corp. wants to change the fundamental architecture of the PC, adding security hardware prior to the release of the next generation of its Windows operating system around 2004, according to a media report and an analyst briefed by the company. [Note to editors: New information appears in bold.]

The Redmond, Washington, company wants future PCs to contain a security technology called Palladium, and is in discussion with Intel Corp. and Advanced Micro Devices Inc. to develop the chips, according to a report in the July 1 issue of Newsweek magazine published Sunday on the MSNBC Web site. Microsoft owns a stake in MSNBC.

Representatives of Intel and Microsoft contacted in Europe had not heard of the technology. Microsoft, however, was awarded a U.S. patent on a “digital rights management operating system” in December 2001.

Among possible applications of the technology are authentication of communications and code, data encryption, privacy control and digital rights management (DRM), according to the report.

The system is comprised of three components, an authentication system, hardware chips and software, called the “nub,” that handles the security tasks, according to Martin Reynolds, a research fellow with market analysis firm Gartner Inc., which is based in Stamford, Connecticut. Reynolds was briefed on Palladium by Microsoft.

The three components will work in parallel to the operating system, with security tasks shunted from the operating system to the Palladium system, rather than as an integrated part of it, he said. Palladium is a security foundation upon which to build other security features, more than a system itself, he added.

As such, Palladium “is a very clever system,” Reynolds said. “You can’t crack it in the conventional sense.”

Conventional cracking of the technology would be difficult because when an attacker tries to forge or attack the digital signatures used in the authentication component, the nub loses its encryption keys, making the system unable to communicate, he said.

“It’s not impossible (to crack),” but it would likely have to be done one machine at a time and in hardware, rather than software, Reynolds said.

“Palladium does have the ability to give us truly secure PCs,” he said. “Once we have security, do we want it,” he added, anticipating possible user concerns about privacy and digital rights management.

Consumers will likely not be pleased about Palladium’s DRM features, though “if you’re the Hollywood people, you’re thrilled,” he said.

While most talk of DRM revolves around music, Microsoft Chairman and Chief Software Architect Bill Gates sees it as more useful for controlling e-mail: Palladium could be used to limit forwarding of messages, or to make them unreadable after a certain time interval has elapsed, the report said.

Microsoft, for one, would benefit from being able to control e-mail in such a way. It has repeatedly fought to keep damaging internal e-mail out of court records in recent cases, including its battle with the nine non-settling states over remedies in its antitrust fight with the DOJ.

The technology needs to be widespread in order to be useful: 100 million devices will have to be shipped “before it really makes a difference,” the report quotes Microsoft vice president Will Poole as saying.

Palladium grew out of a skunk-works project looking for ways to secure information stored on machines running Windows and became an official Microsoft project in October 2001, according to the report.

The first versions of Palladium “will be shipping with bugs,” the report quotes one of the project’s cofounders, Paul England, as saying.

This could be a problem, however, said Gartner’s Reynolds.

“The whole thing has to work right and if it doesn’t work right, it doesn’t work at all,” he said.

Microsoft’s record on software security has been heavily criticized in the past, and in January of this year the company announced a new emphasis on trustworthy computing in an effort to clean up its image. This news was soon followed by word that its software developers would stop writing new code while they audited their existing code for security flaws.

Microsoft has long maintained that keeping its source code under wraps makes its software more secure than open-source software such as rival operating system Linux, where anyone can inspect the source code and see its flaws. A recent report from a Microsoft-funded think tank, the Alexis de Tocqueville Institution, claimed that government use of open-source software represents a threat to national security.

Proponents of open-source software say this openness makes it more secure, as there is a greater chance that flaws will be fixed and that users will be more aware of the necessity of upgrading to a fixed version of the software.

Advocates of open software development may be winning the argument. According to the Newsweek report, Microsoft will publish the source code to its Palladium system in an effort to be more transparent.

Gartner’s Reynolds backed this point, saying that “Microsoft is talking about making it open source.”

Such transparency will be key to the system’s success, according to Ari Schwartz, associate director of the Center for Democracy and Technology, based in Washington, D.C.

“It’s important that there is transparency in the process,” he said. “If they build it in a way that is seamless and intuitive, users will feel like they have more control. If not, there could be a major user backlash.”

“It’s too early in the process and it’s difficult to say which way it will fall,” he added.

Publishing source code openly is not the same as declaring it to be “open source.” According to the Open Software Initiative, open source software must be freely distributable by third parties, including as part of derivative works, without restriction or payment.

(Scarlet Pruitt, an IDG News Service correspondent in Boston, contributed to this report.)