Palladium Debate Heats Up

As Microsoft shares more details of its Palladium security architecture, there is growing unease over the company's intentions.

Microsoft Corp.s vision for its Palladium security architecture is jelling as the software maker prepares software development kits and a detailed road map for the technology.

But as the Redmond, Wash., vendor shares more details of Palladium, there is a growing unease in the security community about not only the technology but also Microsofts intentions.

Some critics see Palladium as an attempt by Microsoft to use security to extend its operating system monopoly. Others say that the technologys capabilities will give Microsoft near-complete control of what applications customers can run on their machines.

"Im ... afraid of what this means for their monopoly. I think its heinously evil," said Crispin Cowan, chief scientist at WireX Communications Inc., a security vendor in Portland, Ore.

Cowan said Palladium would be better if users were allowed to load their own customized certifications, but the system still wouldnt be able to guarantee security. "Palladiums signed code requirement will prevent the installation and execution of new, malicious code, but it will not prevent attackers from running existing code in malicious ways, and buffer overflows are the primary way to get there," he said.

Proponents say that while Palladium has room for abuse, it has the potential to improve the overall security of PCs and networks. "I dont think Palladium needs to be thrown out because its being started by a big company. The fundamental issue is giving users control," said Bill Arbaugh, assistant professor of computer science at the University of Maryland, in College Park, and co-author of the 1997 paper describing the technology at the heart of Palladium. "If the technology has that capability to give users choice, it will be a benefit to everyone."