Microsoft Corp.’s silence on its Next-Generation Secure Computing Base (NGSCB) architecture has some industry insiders wondering if the technology has been substantially delayed, or even axed.
Microsoft unveiled NGSCB, formerly known by its Palladium code name, in 2002. The technology, Microsoft has said, uses a combination of software and hardware that boosts PC security by providing the ability to isolate software so it can be protected against malicious code. NGSCB requires changes to a PC’s processor, chipset and graphics card, for which Microsoft has said that it enlisted the help of hardware makers including Intel Corp. and Advanced Micro Devices Inc.
Critics have argued that NGSCB will curtail users’ ability to control their own PCs and could erode fair-use rights for digital music and movie files.
Last May, at its Windows Hardware Engineering Conference (WinHEC) in Seattle, Microsoft said it was retooling NGSCB so some of the benefits would be available without the need to recode applications. The vendor promised an update on NGSCB by the end of 2004. It did not release one and has remained silent since that time.
Meanwhile, Microsoft has shut down an NGSCB discussion group on its Web site. The NGSCB product page is now empty and previously posted details have been mothballed into an archive page. Several notes on the NGSCB site say, “NGSCB architecture is evolving.”
Microsoft Chairman and Chief Software Architect Bill Gates, speaking at the RSA Conference last week, highlighted many of Microsoft’s security efforts but did not mention NGSCB. Asked about the technology, a Microsoft spokesman at the event said that although the company had promised an update, it does not have one.
“We do not have an update on NGSCB to share at this time. Microsoft continues to actively work through many of the technical details and we expect to be able to provide more details in the near future,” the spokesman said.
The silence on NGSCB raises significant questions about the future of the technology, which Microsoft once loudly promoted, said Michael Cherry, a lead analyst at Directions on Microsoft Inc., in Kirkland, Washington. “Unless they do something soon, I think NGSCB is dead,” Cherry said.
Microsoft should keep its promises to provide updates, especially if it concerns security technology, Cherry said.
“If Microsoft wants its Trustworthy Computing Initiative to be seen as valuable for customers and partners, they have to be transparent… With security, you have to be careful to talk about only the things you really are going to do and then do them extremely well,” he said.
Although Microsoft isn’t yet willing to talk about NGSCB, it appears the company will have an update at this year’s WinHEC conference late April in Seattle. The preliminary agenda for the event lists two sessions that include NGSCB, including one titled “How to build NGSCB-enabled systems,” according to the WinHEC Web site.
Microsoft has said that it plans to incorporate NGSCB in the next Windows release, code-named Longhorn, due out in 2006. As the release of Longhorn nears, developers will have to know how to work with the security technology. If NGSCB still is to be part of Longhorn, Microsoft is cutting it close on informing developers, Cherry said.
“Without that kind of detail, it is going to be very hard for anybody to write an application to take advantage of it in the Longhorn time frame,” he said. The first beta version of Longhorn is planned for the first half of this year, Microsoft has said.
Attendees at Microsoft’s Professional Developers Conference in Los Angeles in October 2003 received a developer preview of NGSCB. That preview was meant to give developers a feel for what it is like to develop an application that uses NGSCB security, but with the changes Microsoft is making, the details of the preview have become largely obsolete, according to a person familiar with NGSCB.
Martin Reynolds, a vice president and research fellow at Gartner Inc., doubts NGSCB will make it into the first release of Longhorn. “We would have heard more about it,” he said.
Instead, Reynolds expects Microsoft to include NGSCB in an update to Longhorn he believes will come in 2008, he said. That update to Longhorn probably will also include WinFS: “all the things they wanted to do in 2006, but they could not,” he said. WinFS is a unified storage system that Microsoft cut from Longhorn last August.
Microsoft last May said it was changing NGSCB but not discarding previous work or going back to the drawing board. Originally Microsoft had limited NGSCB to providing strong protection for very small amounts of data through protected agents. Applications would have to be rebuilt to include a protected agent that would run in a secured space on the system. In May, Microsoft said it was revising NGSCB so it would be possible to secure more bits without having to rewrite applications.