LaGrande-Palladium Distracts From Real Issue
Hardware-based security and digital rights management initiatives, such as Microsofts Palladium and Intels more recent LaGrande, promise to solve vexing security problems but entail a troubling loss of user control.
LaGrande is supposed to work with Palladium to create an environment that will safeguard information typed into keyboards, shown on monitors and stored in memory. This would keep hackers from stealing passwords by remotely monitoring password keystrokes and other confidential data.
Those goals are praiseworthy, but these schemes also pave the way for vendors dictating the manner of hardwares use, thereby making corporate computing look more like the closed-system markets of game consoles, rather than the open-system markets that have fostered IT innovation.
How did we get to this point? The main cause of the security breaches LaGrande and Palladium are meant to patch is not users abusing the freedom that these technologies would curtail. The main cause is low-cost, poor-quality software, which ubiquitous connectivity turns into the toxic agent of network-borne attacks. And how did we get to that point? Through years of accepting software license agreements unquestioningly, users have become resigned to powerlessness in a climate of low expectations that software vendors have taken pains to create.
Most consumers of other products would never accept the abdication of product liability that software vendors routinely practice. Automobile vendors, for example, have learned from hard experience in courtrooms that they are responsible, to a certain extent, for the lives of the people driving their cars. There are plenty of other examples, even including coffee that is served too hot. Even with these burdens, most vendors of mainstream consumer products would never think of including in minuscule print a litany of rights that the buyer does not have.
How can we build the enterprise of tomorrow on a foundation that snubs all warranties of marketability and fitness for intended use? We believe there can be secure computing without rigid vendor control. The journey begins when buyers assert their contractual right to software that does what the vendor says it does and hold the vendor accountable if it doesnt.