Slashdot Mirror
Windows Vista To Make Dual-Boot A Challenge?
mustafap writes "UK tech site The Register is reporting on security guru Bruce Schneier's observation that the disk encryption system to be shipped with Vista, BitLocker, will make dual booting other OSs difficult - you will no longer be able to share data between the two." From the article: "This encryption technology also has the effect of frustrating the exchange of data needed in a dual boot system. 'You could look at BitLocker as anti-Linux because it frustrates dual boot,' Schneier told El Reg. Schneier said Vista will bring forward security improvements, but cautioned that technical advances are less important than improvements in how technology is presented to users."
Does Microsoft even realise they're being charged with illegal monopoly practises at the moment? Do they know that the EUC isn't going to let them get away with any illegal bundling while they're charging them? Sheesh...
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
Any body that is dual booting will also know that making a partition formatted fat32 will allow copying of files between os's.
Anti-competative! Predatory! Monopoly!
Don't worry, once Leopard comes out with Apple's own implementation of the Win32 API, no one will need Windows ever again.
Mmmuh-hahaha!
It's not a big deal that they're doing this, afterall I won't be using Vista when it's released. Me and a lot of people I know will be migrating to Linux entirely and not looking back. Nobody I know wants to pay an arm and a leg to use an operating system that isn't going to contribute to bettering their current desktop experience. Those not migrating to Linux won't be upgrading from XP.
Did I miss something? Is this disk encryption going to be compulsory?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Which is it, data sharing between two OSs or dual booting? Because I can dual boot just fine with current products and still not be able to share data. Not until NTFS for linux makes some more progress, anyway.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
I've used every build of Vista or Longhorn ever released/leaked, and so far I have seen absolutely no extra "anti-Linux" default-disk-encryption thing. The bootloader also still works fine with chainloader +1. Since Vista has supposedly been "feature-complete" since build 5308 (now is on 5365), I'm not convinced this is anything but FUD.
Encrypting a filesystem prevents arbitrary operating system from accessing it!
I mean — what the fuck?! — isn't that the whole idea?
http://www.microsoft.com/technet/windowsvista/sec
I don't know exactly how this encrypted FS works in Vista but I imagine it won't be much more different then cryptfs in Linux or FileVault in OSX. When I boot into Linux on my Mac I can't get into the home directories for any of my users but I can certainly still share files....
Anyway, most dual booters that go between Windows and Linux already have dealt with these issues due to the unfriendly nature of NTFS.
At least, according to Wiki.
As much as we all love to bash Microsfot, I'm guessing it's an optional feature.
I appreciate that it's popular to bash MS (I'm just as guilty) but isn't this getting to be a step too far? They're introducing file system functionality for added security and being ripped apart for it by the same people that scream at them for their lack of security focus? I've had a bit of a read into it, and at least on the surface it seems like a good idea.
r ary/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx
Bitlocker isn't going to be compulsory, and as such it isn't going to affect dual booting in any way shape or form. It's certainly not the sort of thing your average home user would be setting up anyway (IMHO). Seems like Mr Schneier is a good old fashioned troll.
Some more info on Bitlocker here : http://www.microsoft.com/technet/windowsvista/lib
People that believe in their opinions don't post AC.
Also, Bitlocker is only available on Vista, so are you saying you're running your production users on the Vista beta?
The final straw came when one employee lost several hours work when Bitlcoker suddenly had an error reading from our intranet file server and corrupted his project.
Bitlocker doesn't affect files read from network locations, it's merely a hard disk encryption technology. I think you're confused about what Bitlocker is.
The only reason I was considering Vista is because Microsoft have made sure DirectX10 won't run on XP.
Now if I also can't dual-boot then that's the last straw to drive me to a linux-only system.
And before anyone suggests it, no I don't want to be running Linux under a Microsoft VM.
Ok... I've been a linux fan for 10 years or so now. Haven't run anything but linux in about 7 years. But c'mon guys this is FUD.
r ary/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx
First of all, vista won't have this activated by default. Here's how you can turn it on in Vista Beta:
http://www.microsoft.com/technet/windowsvista/lib
And yes it will make any data encrypted in this manner unavailable to another operating system. It does this by using TPM (Trusted Platform Module) in the BIOS and can base the key on the kernel and optionally: just the bios, a user supplied key, or a USB drive supplied key.
This allows for the option of encrypting/decrypting data from the very start of the boot process. And guess what? It's being implemented in linux too!
http://lwn.net/Articles/144681/
BitLocker from windows is just a kernel based drive encryption software that takes advantage of TPMs just like the linux system. If you're concerned about cross platform compatibility then use user space encryption rather than kernel space encryptiong. If you're that concerned about secure keys then don't dual boot! If you love dual booting and don't care about encryption at all, noone is going to beat you up and make you use encryptiong.
You may remove the tinfoil hat.
--David
And darn those pesky motherboard manufacturers for using a BIOS that includes the ability to put a boot up password. Thereby preventing us innocent and proud computer users from installing an OS onto our machine! This means war! Seriously. Since when is this: A. A new issue (NTFS, translating differences in file structure between OSes, etc) B. A "REAL" issue. It's not like there is a software bomb that will melt your hard drive if you type in an open source url in your web browser. C. Anything but another jolly "Hey let's hate on Microsoft because it's cool!" You are ENCRYPTING THE DISK. What do you expect to happen? I'm reminded of fools that set BIOS passwords, then scream at me beacuse suddenly there is a passworde on their computer and theyt can't access it. *Pixie tosses two red American pennies on the nearest table, and quietly walks out of the room.*
A company plans to include a very useful encryption tool with it's next OS.
This is good news in terms of security and privacy, and therefore /. readers will welcome it.
Oh wait, no they won't, because the company is Microsoft. Microsoft is baaad, therefore everything they do is sinister and evil. You people always manage to find the dark lining to their every silver cloud.
It's the herd-mentality at work, folks.
Yawn.
Azural - instrumentals
Shocking.
Will it be possible to mount non-encrypted disks in Vista? Well, unless MS is finally prepared to kick backwards compatibilty then yes.
Even if unencrypted HD's ain't supported (unlikely) they would still need to support regular filesystems like FAT for all those flash disks from your camera and USB keys and such.
I am as anti-ms as you can get (if I am ever diagnosed with an incurable disease Gates gets a bullet in the head the next day thanks to my Halo training. Eh non-MS FPS training) but this is just to much. Linux disk encryption makes it just as hard for linux to dualboot windows. In fact every linux distro should just use FAT to make sure windows can be dualbooted and read the linux data.
Geez.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
One slight detail.
Drive encryption is optional. It's something you may configure while setting up the system for systems carrying sensitive or important data. It's not like a standard Vista install automatically encrypts the entire drive. That would be ludicrous.
Bruce Schneier may be a brilliant security guy, but like every other person (and company) on the planet, he has an agenda. Don't automatically trust the guy telling you stuff because it's embarassing to the person he's telling you about.
Ah, I almost forgot. This document is the Microsoft whitepaper on setting up and using drive encryption for Vista. Skim through it. Notice that it's freaking huge. The setup procedure is involved and low level. This isn't the sort of thing that will automatically be put on by a ignorant user blindly clicking "Next".
I really do. If it was me in charge, first thing I'd do - day one - would be to either hire people currently working on the Wine project, or hire a bunch of other qualified people and have them contribute to it. Get Wine working, then get it working well. Get a contract with Transgaming too - have them help. Imagine a Mac that played all the Win32/DirectX games! You wouldn't have an excuse then, right? Then, I'd dump all that work back into the FOSS community so others could benefit, and have a brilliant super-compatible easy to use Wine built into the next Mac OS.
Ahhh...how great it would be. And it's the best kind of dream. It's possible.
Weaselmancer
rediculous.
This article appears to be completely uninformed. Bitlocker works on a volume basis, not on an entire harddrive (unless the harddrive only has one volume). In fact, in order to get Bitlocker to work for Vista you MUST have two volumes, one being the OS volume that is encrypted with Bitlocker, and the other is the system volume which cannot be encrypted with bitlocker. Nothing prevents you from having multiple volumes and only enabling Bitlocker for some of the Windows Vista volumes. You can have other volumes/partitions with Linux or any other OS you want. The only issue is that you will not be able to read the Bitlocker protected partitions from Linux. Isn't that kind of obvious? You can still have a unencrypted FAT32 partition for sharing data between Linux and Windows, or an unencrypted NTFS partition for one way sharing between Windows and Linux (write support for NTFS on Linux is still not reliable). As far as recovery, you will not be able to do that with Linux, you will have to do that with Windows. I guess I'm not seeing a real issue here.
Seriously. we need a "Duh" Tag on this story.
That is the entire point of Bitlocker; Encrypt the drive so only the encrypting OS can decrypt it. Bitlocker would be rather pointless if any OS could read the encryped drive now wouldn't it?
Even if you move the bitlocked disk to another Vista machine, that machine wouldn't be able to read the disk without the decryption key, which I severly hoped you backed up.
We're dreading this feature in Vista becuase if its anything like XP encryption and it's easy to turn on, there's going to be a lot of unhappy students when we tell them "Your hard drive crashed and all of your files are unecoverable becuase you encryped the drive"
In Soviet Russia, Trojan exploits YOU!
"You could look at BitLocker as anti-Linux. . . "
No, just anti-dual-boot. Microsoft makes their product more secure
Sorry, but since when does dual-boot mean "less secure"?
How many viruses are going to be stopped by preventing dual-booting? How many trojans?
Yeah, that's what I thought.
Bitlocker would be rather pointless if any OS could read the encryped drive now wouldn't it?
If any OS could read the encrypted drive given the key, then there would be no problem. The problem comes when Microsoft does not specify how to turn the ciphertext plus the key into the cleartext.
Based on the quality of the betas so far, I'd say that single-booting Vista is enough of a challenge...
I'm sorry, but this seems to be a bit of a non-story
... I give it less than a month after release untill somebody has been able to figure out how to pull the data from there.
Mickeysoft can't stop anybody from boting anything. THe boot process is handled by the bios and the boot sectors on the disk, which can't be encrypted unless the bios cooperates.
If the bios cooperates, it still has to be able to read said boot sectors, and if it can read windows boot info, it can read linux boot info, or anything ELSE you want to put in there.
So "difficult to dual-boot" is as far as I can tell, CRAP.
As for sharing data between the two systems
No, just anti-dual-boot.
Please explain to me how this is going to prevent you from dual-booting
Okay, first off, the article headline is HORRIBLY misleading. BitLocker will NOT ENCRYPT THE ENTIRE DRIVE. It is required that you have a ~100MB partition in order to boot off of, which will then in turn load the needed software into RAM and *then and only then* decrypt the encrypted partition.
r ary/plan/5025760b-0433-4ba1-a2f4-9338915fdb4b.mspx - Beta1 won't install on FAT32, but according to offical MS docs, it will (eventually, most likely))
Read: This has nothing at all to do with dual booting. Your ability to dual boot will remain completly unchanged, period. This, however, is about your ability to share data between OSs, not your ability to boot two. Learn to write a article headline, please.
FAT32 is dead. Period, get over it, dead. No, I take that back, it still has one use: flash drives, and other forms of removable media. Other than that, IT IS DEAD. Why? Simple: security. From Windows 2000 and on, Microsoft actually put some degree of effort into security. "Some degree?" you ask? End result, due to NTFS, you can actually secure your system. Compared to FAT32 anyways, where a *guest* user can drop a virus as c:\explorer.exe, and then the next time Johnny Admin logs in, it's over. NTFS added actual security measures. ACLs. Execute bit. And, well, quite a bit more. Due to this, I can say the following without doubt that I'm right:
1) BitLocker will ONLY work with NTFS.
2) Vista will do everything they can short of threatening to eat your children to get you to install on NTFS. (Side note: http://www.theinquirer.net/?article=30128 vs. http://www.microsoft.com/technet/windowsvista/lib
3) If you're still using FAT32 as your primary OS partition, you're an idiot.
4) Due to #4, if your defense is, "my [windows] OS can't run on NTFS!", my response is still the same. Go upgrade, you're not helping anyone.
FAT32 is nice for removable media. That's about it.
(</troll>)
The users that don't understand aren't going to be the ones dual-booting. Even if they do get the dual-boot bug, turning off the encryption is (most likely) just an annoying-but-managable reinstall away.
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
Another way to avoid encrypted file loss is to designate a recovery agent.
See also How to back up the recovery agent Encrypting File System (EFS) private key in Windows Server 2003, in Windows 2000, and in Windows XP
To add a recovery agent for the local computer
For all of your criticism of FAT, NTFS provides -zero- security when the host Windows operating system isn't in charge (e.g. when you've dual booted, or even booted with a Knoppix disc, and that Linux install happily disregards NTFS ACLs). It's functionally no better than FAT32 in that very common scenario. Encrypted File System, really a more granular, earlier version of BitLocker, does offer data exposure protection, however it's really an application layer above NTFS, much like PGPDisk.
1) BitLocker will ONLY work with NTFS.
Given that BitLocker exists transparently under the file system, automatically encrypting/decrypting transparently, there is no technical reason for them to limit it to this. In fact, given the wide number of FAT32 removable storage devices, which people will likely want to encrypt, it seems very likely that BitLocker will support non-NTFS devices.
Which is moot to everyone who does not require fancy-userfriendlyness.
WinZip and WinRAR can display the contents of an archive. It's not much of a jump to manually read the partition and display the contents in the same fashion - the only difference is that you write the code to work at the user level rather than a Kernel Level.
BTW, drivers need to be debugged somehow. From the site you linked to:
Feel free to call it BS, but drivers will need to be debugged and tested before they can be accepted by Microsoft for the WHQL stamp. If drivers are not signed, then you'd either have to trust all your developers not to leak the keys, or do a time consuming development process.
2. There is not a problem here. Bitkeeper (EFS with a name created by the marketing department) will not be enabled by default unless your company enables the policy. If your company does enable the policy, you should also create a Data Recovery Agent. This can also be done on a standalone workstation.
Bitkeeper is not "EFS with a name created by the Marketing Dept" but rather a very different sort of encryption scheme. EFS uses an encryption key stored within the CAPI store in the OS to encrypt individual files and folders. It is not at all good for full disk encryption, and using it for this purpose can/will cause a multitude of problems. Bitkeeper on the other hand is a full-disk encryption scheme similar to Utimaco, Safeboot or the commercial full disk version of PGP that utilizes an encyption key that is either loaded in a hardware TPM (Trusted Plafrom Module - a hardware key repository on the motherboard) or is alternatively loaded at boot time from a USB key.
3. If you can't access your ENCRYPTED data from another OS or boot CD, the encryption worked. Encrypting data involves risks just as leaving your important data unencrypted involves risks. Pick your poison and move on.
Actually, if you cannot access your encrypted data from another OS it simply means that you short-sightedly chose an encyption method that is not cross-platform compliant. There are plenty of encryption solutions (full-disk and file/folder based) that work cross-platform, just don't look for one to be provided with your Microsoft OS.
\/\/oobie
In ten years you'll be saying exactly the same thing about replacing cocoa so you don't need a machine made by Apple ever again.
Way to go there, migrating to a locked in proprietary platform. Oh, and on top of that, one that's crippled to only run on mandated hardware.
But Apple are hip at the moment, so it doesn't matter.
Malike Bamiyi wanted my assistance.
Who dual-boots? A small subsection of the "geek crowd" who have some kind of moral objection with owning more than one PC ("but, I run Linux, I don't need a hundred servers to do the job of one!") or are too poor to do so. True geeks have more than one PC and find dual-booting to be annoying. That leaves the bulk majority of PC users: home owners and corporations. How many of them dual boot? Exactly. So, you've been shut out. Who cares as long as everyone else (the ones who really NEED to be protected automatically) are protected from not only harming themselves, but others. For a group so concerned with security, and bashing on endusers inability to grasp even the simplest technical knowledge, it never ceases to amaze me how quickly the complain when someone makes it easy on the people most needing of someone to lock their system down for them. Yeah, it's a runon. That's what you get when you read this far down in the comments section. Nosebleeds of comments, baby.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
and an ext3 drive mounted by a hostile system will ignore security settings as well. the point of filesystem permissions is not to defeat a hostile system, but rather to allow admins to keep contorl of the machine and users to protect their files from other users.
Snowden and Manning are heroes.
Feel free to call it BS, but drivers will need to be debugged and tested before they can be accepted by Microsoft for the WHQL stamp.
Vista 64 already has a working opt-out, done with an F8-key startup option, but it must be repeated at each reboot and cannot be made the default. If you forget to press F8 at exactly the right time when booting back to Windows, no Ext2 for you.
True.
DRM is going to cost them their majority market share. The more they make things suck, the less people will want to use them. WMP 10 is an indicator of where things are going. Check out this satisfied customer's opinion of it:
Then Digital Restrictions Management (DRM) started harassing me and asking to connect to the internet to check for licenses where none had been needed before. The worst part of this "upgrade" is how it poisoned the whole system and crippled Media Player Classic too.
How much more can they make things suck? Firewalls you can't configure, entire volumes encrypted and media players that don't play. What do they have to offer?
Who's going to buy this shit?
Things have never looked better for free software.
Friends don't help friends install M$ junk.
Seems to me as if you're all talking about making it hard for yourselves. Why not simply take the opportunity to ditch Windows altogether?
Nobody in their right mind would run his OS on fat32, but if you're planning on dual-booting, you probably already have made an extra FAT32 partition, in which you dump the stuff you want shared.
You can even mount it in your home directory for easy access. (And on Windows you just use X:\ as your 'my documents' folder).
And I don't get your ranting about the security of NTFS vs. FAT32. With NTFS, anybody can boot Knoppix with captive NTFS (or a Windows-based LiveCD, if those exist) and overwrite explorer.exe with anything he likes. You're screwed if somebody has physical access, no matter what the OS or Filesystem is.
Indeed. And in fact you see a lot of implementations for windows of which a lot are based on the open-source code.
This shows that :
Meanwhile, the opensource community is trying to play nice with Microsoft's OS.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
You can get pretty safe write support now via ntfsmount (FAQ entry).
What will likely happen is that when you a buy a computer, it will already be enabled.
Well it would be pretty hard to enable, unless they magically know who is buying the computer ahead of time,
The whole point is the END USER has to create their own key and pin/biometric at the TIME the drive is Encrypted.
So unless you see Dell becoming 1800 Ms Cleo, or see Gateway flying people to their factory just so they can enable the feature for that person, I think your tinfoil hat may be leading you down the wrong path...
One slight detail: Vista isn't out yet.
Actually this feature is pretty much as set in stone as you can get. The guy writing the article knows little to nothing about bitlocker, especially baiting people into believing it has any anti-Linux intentions.
As for it being a real feature and as the person above posted, they are correct and it is.
I am truly looking at the help file for Bitlocker in Vista as I type this. (We have also tested BitLocker on several systems, it does what it is supposed to do, and it has to be enabled by the END USER, as their key/pin is used to encrypt the drive.
And lets say as a goof Dell did enable this feature, and assigned a key and pin to the person buying the computer, all you do is type in your pin for access and then turn BitLocker off. (It can be turned on and off for the entire drive quite easily once it has been enabled.)
It is 100% optional, and not something recommended for the average person, it also is not recommended for volumes that need to be access from another OS in a multi-boot environment, so just don't use it.
You do realize it even locks out WindowsXP if you are dual booting WindowsXP and Vista and you use BitLocker to encrypt your Vista partiion?
This is NOT an evil plan against other OSes.