April 25, 2005 4:00 AM PDT

Microsoft: 'Trusted Windows' still coming, trust us

After nearly a decade, Microsoft's vision for how to protect especially sensitive information within Windows remains largely that--a vision.

For years, the software giant has promised to deliver a secure way to shuttle around key bits of information. Once known as Palladium and more recently dubbed the Next Generation Secure Computing Base, or NGSCB, the approach was once a key part of Longhorn, the next version of Windows. Although the first piece of that is arriving in Longhorn, it's only a thin sliver of what Microsoft has been working toward since describing its idea of "trusted Windows" a decade ago.

In the next version of Windows, which Microsoft chairman Bill Gates will show off on Monday at a company sponsored conference, Microsoft will use the concepts of NGSCB to ensure that Windows-based machines start up without interference. The primary benefit of such an approach is that if a laptop is lost or stolen, the data can't be accessed simply by booting the machine up using another operating system.

News.context

What's new:
Microsoft has scaled back an ambitious security plan, but some pieces will show up in the next Windows.

Bottom line:
Although early concerns have eased up, worries over the cost and hardware requirements involved in protecting sensitive information within Windows have forced the company to again alter its plans.

More stories on this topic

"If you lose your laptop in a taxi, no one is going to get at your data," Windows chief Jim Allchin said in a recent interview. "The hardware is not going to let you boot that software, and there is a way for us to do full-volume encryption."

That may indeed be a popular feature, but it's a far cry from Microsoft's broader plan, which was to use NGSCB systemwide as a secure vault for particularly sensitive information such as passwords or bank records. Such information would be kept in hardware and then securely transmitted between a computer's components, such as memory, hard drive and monitor.

The change, Microsoft says, is the result of customers telling the software maker that they didn't want to have to rewrite their applications.

"We revisited our approach," said Selena Wilson, director of product marketing in Microsoft's security unit, adding that the company's decision was to "give customers something that is easy to implement now and upgrade over time."

Microsoft's plans for NGSCB have been shifting for some time. The company demonstrated a prototype of the technology two years ago, but by that point there were already concerns that it could harm consumers or that it would give Microsoft too much leverage over businesses.

Although some of those concerns have eased as Microsoft has revamped the technology, more practical worries over the cost and

CONTINUED: ...
Page 1 | 2

See more CNET content tagged:
Microsoft Longhorn, approach, Microsoft Corp., vision, Microsoft Windows

Add a Comment (Log in or register) 46 comments (Showing first 20 comments)
Mac OS X FileVault... onsale 10-25-2003
by April 25, 2005 5:27 AM PDT
Encrypted home directory protects user data with one click, been
available for 18 months now... oh yeah, "it just works"!

let's talk about what's really in longhorn when it starts shipping.
Reply to this comment View all 2 replies
It's really 'Shorthorn' after all.....
by Earl Benser April 25, 2005 5:48 AM PDT
MS is begginning to admit that their grand plans for Longhorn
are encountering serious developer okjections as well basic
programming conflicts. This should not really be news; MS's
plans for Longhorn always has been perhaps overly ambitious.
And MS continues to have to work with poorly designed, and
uncontrollably modified motherboard concepts, as well as a
processor set which is much too long in the tooth with now an
almost archaeic design.

But, MS and Intel just can't seem to get their merry-go-round to
stop. No one can get off. and the ressult is likely to get you
dizzy with it's contniued spin.
Reply to this comment
Longhorn, Windows XP Rev 2
by System Tyrant April 25, 2005 6:53 AM PDT
In the past year or so I have been reading articles from people who once worked at Microsoft or have worked with Microsoft on Windows. One of the same themes that runs throughout each article is that they will never make Windows secure. They 'why' is always because of the foundation Windows sits on.

I don't like Microsoft so I probably put more into those stories than there really is, but if all stands true then Microsoft probably needs to do a major overhaul of the Windows core. This will probably cause lots of problems with the current programs, but it may be the only way to fix the non-bug security problems.
Reply to this comment View reply
Aren't The "Appplications" the Net and Not "Windows"
by April 25, 2005 7:28 AM PDT
To the extent that networks (storage etc.) and the applications that run on them ought to present much more security challenges than "Windows" (Long Horn, Short Horn, LinuxSomething... whatever) and other OSes; the questions are, why are there so much focus on "Windows" security alone when the focus should be on entire IT infrastructures that will facilitate interoperability between web services (BPEL, et cetera) applications which invariably will incorporate Extensible Markup Language (XML) protocols which may very well present greater security concerns than at the operating systems' bases - Windows and other OSes not being the "Net" unto themselves!
Reply to this comment View reply
That's not an upgrade its a linux attack
by April 25, 2005 7:33 AM PDT
when they say
"The primary benefit of such an approach is that if a laptop is lost or stolen, the data can't be accessed simply by booting the machine up using another operating system."

I dont see the benefit... On a Linux laptop only if youre root or have the users account you can access the personal information. and that has been in place since the beginning..

I wonder how many people uses another OS to access data on a windows machine?? I really think there are not that many.

If Microsoft is going to do this is just to prevent a PC with 2 or more operating systems (of course Linux among them) to see Windows files from the other OS. A laptop and most importatn a DESKTOP with linux and Windows WONT be able to read files from the Windows partition AS WE ARE ABLE TO DO TODAY.

Clever from Microsoft to distract people to the Laptops.. their real attack is on the desktop, where more Linux/Windows configurations are in place...

I use Linux to recover information from Windows PCs when the windows is so broke down that it wont start. With this "security feature" I wont be able to do it.

Same old Microsoft, the promise was to have a lot of things for security on longhorn, now they wont get to the promised date, so they jtook everything out and left only the things that prevent users of choise to use another OS.
Reply to this comment View all 3 replies
Windows "security" is an oxymoron
by PolarUpgrade April 25, 2005 7:40 AM PDT
Windows itself is an operating system. Traditionally, being secure in computing does not mean just locking the OS, since if the OS security is compromised, all data that relies only on the OS security model might also be at risk.

If one needs data security in terms of access at startup, simply use a program like Paragon Encrypted Disk, which lets one control access to encrypted "disks" created on a hard disk within current Windows versions.

Whatever the solution, since one still needs to use application level or Paragon-style encryption as a fall-back to meet due-diligence requirements (depending just on the Microsoft approach is not due diligence as we all know), it makes little sense to focus on securing the MS OS.

Securing application data via add-on encryption tools, as well as application and account passwords used with discipline, is a far better approach, because it means the hacker cannot crack just one model/approach/method and compromise millions of users all at once. The very combination of user-level security approaches builds in an extra level of security for all users owing to what amounts to random variability in the technique needed to steal any one user's data.

Since all of the above would still be needed, and since all of the above obviates the need to secure the OS itself, there is no need for OS-level security of the kind MS envisages. It's only effect would be to require us to throw away much of our extant software.

One may ponder quite reasonably whether next gen security isn't really aimed at locking software and content, as well as compelling the puchase of matchung new copy-locked software AND content, as it makes little sense except as a digital prison for the end user.
Reply to this comment
ok, but you missed THE point also
by April 25, 2005 7:57 AM PDT
Ok let me correct my self.

youre right.. ok that new feature helps your banking needs thats good, BUT its a direct way to block Linux. that point is unrefutable..

Right now you can boot Linux with a CD on a Windows Machine... you try it, get the CD out and restart Windows without modifying anything.

I use this method to FIX problems in Windows Machines when WindowsOS is unable to stand by itself... Now I wont be able to do it.

Solving that need in this way is an excuse for MS to provent people from trying Linux with a CD. You already have many ways of securing your laptops data without this "Operating System Lock". It should better be called: "Monopoly Lock".

So bye bye your ability to chose... you have no choise but to use just that Operating System.
That alone should be enough for another antitrust Lawsuit.
Reply to this comment View all 2 replies
Sleeping....
by April 25, 2005 9:45 AM PDT
And this is news?
There is a reason why I browsed through this...worthless article...NEXT!
Reply to this comment
I swear...
by April 25, 2005 9:49 AM PDT
I swear the only thing Microsoft can do any more is say they are going to do this and then the following week scale in back. Do they have any idea how this makes them look? It makes the look like idiots.

I am not a big fan of Microsoft, but I also know that I will never touch a Mac. So with that I am willing to cut them some slack. I think most Microsoft customers have cut them slack by not going after them for all of the bugs and security holes in their software.

It is a shame this scaling back doesn't work with prices. Lets see you said we would be getting this, this and that and we only got this, so instead of paying you $499.00 we are scaling back our money to match you scaled back product.

Personally, I am getting tired of this. Microsoft needs to get their act together or keep their mouths shut until they have concrete plans that are set in stone.

Robert
Reply to this comment
If You Don't Encrypt The Data
by Stating April 25, 2005 10:22 AM PDT
If you don't encrypt the data residing on a Longhorn disk drive, then it is just a matter of attaching the drive to another computer as a secondary drive. Bingo, you will have access to the data, and you don't even have to know any passwords! This is the dirty little secret of Windows, though it does make data migration or recovery a lot easier. Even if your Windows computer becomes unbootable, your data is easily recoverable. Unfortunately, it is a dream for data thieves, which is why physically securing the data (locked rooms, controlled access), particularly for servers, is important. There is no way I would let corporate executives travel with laptops that did not have data encryption implemented.

There are a number of very good 3rd party data encryption tools available, including open source based tools. They offer the flexibility of encrypting an entire volume or just select folders. They support removeable media like flash drives, and the encrypted media can be accessed across OS versions, e.g., encrypt the data on a Windows 2K computer and read it on an XP system. Overall, a lot more flexible than Longhorn, a lot cheaper (free), and subject to peer review of the encryption algorithms. Which is something I didn't learn from this story, what encryption algorithm(s) is Microsoft using for Longhorn? Who are they providing backdoor keys to? Do you want to yet again trust your security to MS?

Keith
www.techcando.com
Reply to this comment
They've gotta be kiddin' ...
by Jon N. April 25, 2005 11:49 AM PDT
Trusted Windows. This has gotta be the joke of the decade. "It's coming...trust us", they say! Ever since security in Windows started, they've dropped the ball when it comes down to software security/consumer protection. Only now are they beginning to see that security should have been on the forefront of the system {i.e.,Linux/Unix/OSX}. Even there, they drop the ball again with countless delays & promises, promises, promises! They've gotta be kiddin'! Why couldn't they have made the bootup encrypted in the first place? Meanwhile the Longhorn OS debut gets put further & further away! Now it maybe the 4th Qtr. of 2006! The only security program that M$ has made recently that seems to work well, is the Anti-Spyware beta, & that has less than 100 days left to its lifespan. I've migrated my docs to OpenOffice.org, & I am soon going to move to Linux on my i586. Redmond seems to have all the time in the world to fix its problems. I do not.
Reply to this comment
Will this "Gorilla" be let out of it's Cage!
by April 25, 2005 12:03 PM PDT
I have just read this article (please see attached link: http://www.os2world.com/petition/ ) where the OS/2 Community plans to send a petition IBM requesting to make OS/2 Open Source or at least part of its components. One wonders what will be the marketplace scenario for the "Windows", "Linux" Solaris OSes et cetera - should IBM accede to the request from the OS/2 Warp Community to Open Source this OS against the background that that it - being the "Half" Brother of Windows and previously boasted a much more "secure" and "reliable" operating platform than Windows!
Reply to this comment View all 3 replies
That's A Security Feature??
by April 26, 2005 2:12 PM PDT
Have they forgotten that the thief that steals the laptop can simply mount the hard drive onto another system and then access the data?
Reply to this comment View reply
 See all 46 Comments >>
Powered by Jive Software
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Outside the Lines

    EIC Squared: Chrome, iPods, and a Dell-Salesforce union

    On this week's EIC Squared podcast CNET's Dan Farber and ZDNet's Larry Dignan discuss Google's latest rocket launch--the Chrome browser--as well as Apple's iPod event next week and a Dell-Salesforce.com union.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    At 10 years old, whither Google?

    Daniel Sieberg of CBS News looks at how the company grew exponentially from start-up to superstar and part of our culture, but what's ahead?

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    At the TechCrunch50, an unfair advantage?

    Inside baseball: How Webware and other blogs can compete with TechCrunch in covering the TechCrunch50 event.

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.