Slashdot Mirror
Australian Users Petitioning Against Windows 8 Secure Boot
In his first accepted submission, lukemartinez sends in an excerpt from a ZDNet article on continuing developments about Microsoft's UEFI secure boot requirements: "The Linux Australia community began petitioning the ACCC this week after Microsoft aired plans to mandate the enabling of Unified Extensible Firmware Interface's secure boot feature for devices bearing the 'Designed for Windows 8' logo. This means that any software or hardware that is to run on the firmware will need to be signed by Microsoft or the original equipment manufacturer (OEM) to be able to execute. This would make it impossible to install alternative operating systems like Linux..."
Delimeter has further information on the petititions, and Matthew Garret recently posted a follow-up to Microsoft's response to the concerns about secure boot, calling them out on their misinformation.
Found it buried beneath several links. http://www.accc.gov.au/content/maintain/create/index.phtml?contentTypeItemId=9133&informationSpaceItemId=268347&inPop=1&returnUrl=.&type=Other
I write professional videogame reviews! http://www.digitallydownloaded.net/
Did you look down under?
No brain, no pain.
Doesn't this only affect OEM stuff, in which case, who cares.
WTF are you talking about? It will affect any PC that you want to load another OS on.
This petition and the signers of it just show that they're ignorant of the technology and the implementation of it. Unfortunately you might have government bodies thinking there is no smoke without fire, and making threats about this or that. But truth is this is a manufactured story that really has yet to cause anyone any problems.
Let me ask you this: Who has built a system with a UEFI subsystem which doesn't allow Secure Boot to be disabled by the user? Answer: Nobody.
I'd strongly implore europeans to look at similar moves. The EU courts have proven time again to have backbone when it comes to anti-competitive behaviour in the IT industry, and right now this is Microsoft playing the checkmate card its been threatening for a long long time.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
Anyone who wants to repurpose an OEM computer. Anyone who doesn't want to pay extra for jailbroken motherboards. Anyone who thinks people should own their property, instead of being beholden to the manufacturer.
That's who.
Give me Classic Slashdot or give me death!
Really though...who buys a vendor PC then slaps Linux on it? We build our PC's..
I did just that with my laptop
I have with all my Dell work laptops and desktops that I run. Linux hosts, XP/7 virtual guests.
Uh... "OEM" is pretty much every PC maker. And that's thing isn't it? In the case of Dell, you can be sure that consumer models will have their UEFI locked to Windows and the business models will still be allowed to run Windows XP - Windows 7 by disabling this feature. But as for being able to install new keys for other OSes? I'm going to simply doubt it because once that code is made available, you can expect malware to make use of it as well.
And here's the thing. In order to get better security, you pretty much HAVE to stop people from being able to do stupid things. It is precisely the user doing stupid things which is the most significant source and cause of security problems on PCs today. You can disable and limit things all day long, but in order for users/consumers to be able to make use of their stuff, they frequently need to disable security features as applications publishers and others are not always on board with security strategies. And let's be frank -- Microsoft hasn't been strongly security focused in the past. And the result of this past means a lot of old applications expect to live in a less secure environment. (And it's not like we haven't seen this in countless other ways such as a persisting need for MSIE6 because their browser was broken by design and applications written for it will not work with other browsers... lock-in worked for a while but was not considerate of the future.)
Is there an alternative approach? Can you allow users to do stupid things and maintain security? If there is a way, it has escaped my imagination.
Only if there is no way to disable secure boot.
The problem here is that a majority of users are Windows users that will actually benefit from running a computer with a secure boot loader. So Microsoft is serving the interests of their users by pushing for secure boot.
The good reason to oppose secure boot is the fear that computers will ship locked to Microsoft's keys. Before petitioning the government to specify the terms under which Microsoft can offer a logo program, people should be encouraging Microsoft to add a requirement for a method of disabling secure boot to the logo program (this may well be futile...).
The reason for Microsoft to do this would be to put the whole damn issue behind them, and it only really matters for random consumer hardware that might end up with Linux on it, not a space they face much competition in.
(Server and business vendors will continue to sell their customers what they want, running arbitrary software on such systems will not be problematic)
Nerd rage is the funniest rage.
The article lists the hardware manufacturer -- the system builder -- as Microsoft's customer. This is not surprising, since they are the people giving money directly to microsoft.
So like with everything else in life, if you want to have control over something, all you need to do is to pay for it. You're welcomed to purchase your computer from Best Buy, and thus give Best Buy all of the control. Best Buy can choose what you'll get vis-a-vis the security of the OS. Or, you can do what many of us do.
You can purchase Windows 8 directly, and install it yourself. Then you'll be the "hardware manufacturer" (a term that's lost all meaning here), and you'll have complete control over it.
Welcome to the power of money.
Secure boot prevents those other malwares from subverting the boot process.
Nerd rage is the funniest rage.
I mean that sincerely but Microsoft has already implemented their legal stance, "It is not up to us. It is up to the vendor".
Having to work for a living is the root of all evil.
This isn't designed to stop viruses (though theoretically it could help a little), this is part of Microsoft's anti-piracy push. Current methods of pirating Windows involve loading up something before the kernel to trick Windows into thinking it is installed on a machine with an OEM license. Obviously if the BIOS won't hand off to unsigned code then this becomes impossible and this method of piracy (which has been in use since Vista's time) is no longer viable.
Hence why the don't want OEMs to give you the option to disable this feature or to load up your own keys. If they did then it would solely be a security feature and do nothing for piracy. Given that, it explains why Linux people are so worried, because Microsoft is pushing for exactly this and Linux is about to get caught in the crossfire.
You won't be paying extra for jailbroken motherboards
You might be paying a fine for jailbreaking your motherboard though...
..It's the OEM's. Nowhere does Microsoft mandate that OEMs must remove the option to disable UEFI secure boot, only that it's enabled by default.
For someone that's supposedly calling Microsoft out for misinformation, Matthew Garret does a great job of it himself. Here's a few points I noticed:
Which hardware vendors? Who? What hardware? Why? And what has that got to do with Microsoft?
And why shouldn't it? It also doesn't state that you can only ship Microsoft's keys. Why is it Microsoft's responsibility to get keys other than its own installed?
Exactly, however a system that ships with UEFI secure boot and only includes a linux distribution's signing keys will only securely boot that linux distribution. Why is the latter ok, but the former not? Oh wait, because Microsoft is the big, bad buy? Once again - Microsoft doesn't mandate that UEFI secure boot be forced, its the OEM's decision to remove the option to disable it.
Of course, this fails to mention (again) that OEMs are in no way forced to remove UEFI secure boot and by doing so, they'll be at a disadvantage in the marketplace and lose sales from people like this very writer....
In short: Because Nobody else can have secure boot, why should Microsoft get to have it? Apparently that's bad for even the likes of AMD and Intel.
Nevermind that 99.99% of malware targets windows, that most "zombies" on the internet are Windows machines, that most spam is sent from windows machines, which affects everyone. In that instance, giving Windows machines that extra blip of security by default hardly seems like a bad thing.
Woah woah woah! Didn't you just say that Microsoft were the only ones capable of forcing Manufacturers to include their signing keys? That the likes of AMD,
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Circumventing a protection system? I'm glad nobody passed a law boneheaded enough to make that illegal even if you're not breaching any copyright .
http://news.slashdot.org/story/11/09/27/2130245/canadian-government-says-drm-circumvention-not-related-to-copyright
Slowly the pieces are coming together...
'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'
In other news, users petition to have Firewalls disabled, Microsoft force all users to have admin privs, and the removal of passwords.
When interviewing these users they had these things to say: "I love malware, someone has to" and "Pressing F12 at boot and disabling secure boot is too much work, I would rather troll every forum on the internet to sign petitions"
If you want to stand up for the rights of malware and rootkit creators everywhere, please help support this cause. Because.. "Someone has to love them"
Signing off, Bengie
1) Certs can be managed if your OEM doesn't suck. eg. Sign your own custom Linux kernel if you want
2) Win8 doesn't require secure boot to work, it just requires secure boot to put the logo on the PC
3) Secure boot can be disabled, again assuming your OEM doesn't suck
4) IT would have a shit storm if they couldn't manage this
5) Server admins would have a shit storm if they couldn't manage this
6) Someone would lose a job at Dell/HP/Gateway/etc if the end user couldn't manage this
7) This effectively makes it impossible, with current malware, to ever take over a PC
I have yet to hear a logical argument against secure boot, just lots of emo and fud.
I really doubt your claim of a 10 fold improvement in security. How many MBR rootkits have you cleaned up in the wild? How many lame malware infections have you seen/cleaned up in the wild (which secure boot won't help 1 iota)? For me those numbers are 0 to about 50,000 in the last 5 years.
Phishing and hacked websites that dump malware via browser bugs are the 2 biggest security threats I've seen in the last 5 years, and neither of these is even remotely addressed by secure boot, when someone comes up with a key signing scheme to stop phishing I'll listen to a "10 fold improvement" claim, not before.
You're missing the point. Microsoft didn't restrict Best Buy from doing whatever Best Buy wanted to do. And you weren't forced to buy your computer from Best Buy. Every single problem that you have with this scenario is instantly gone when you buy windows yourself, and skip Best Buy entirely.
You shop at Best Buy, you get what Best Buy is willing to give to you. Or you can just go out and do it yourself. That's your choice.
So if you want to have control over windows, you need to buy windows from microsoft, not from Best Buy.
Welcome to the distributor relationship. That's the way it works in almost every industry. That's why you both do and don't often want to go straight to the manufacturer.
And yes, it's always more expensive to go straight to the manufacturer. And that's usually why too.
In other news, users petition to have Firewalls disabled, Microsoft force all users to have admin privs, and the removal of passwords.
These things can be controlled for obvious reasons. What's being discussed here is what you can actually run on your computer from the start. An entirely different ball game.
When interviewing these users they had these things to say: "I love malware, someone has to"
Right.............
"Pressing F12 at boot and disabling secure boot is too much work
If you'd done some reading then you'd know that this F12 option will not always be there, nor is there any guarantee that it won't be removed.
If you want to stand up for the rights of malware and rootkit creators everywhere, please help support this cause. Because.. "Someone has to love them"
This will not help prevent malware or rootkits in any way over and above what is already done. Stop hiding behind the security reasoning, because it's crap. It still won't prevent vulnerabilities in the OS once it is running, which is where it is all happening anyway.
Certs can be managed if your OEM doesn't suck.
They will all suck. The EFI spec does not currently allow you to add your own keys. It's Microsoft or the OEM.
Win8 doesn't require secure boot to work
Future versions will once the hardware is widespread. This argument always makes me chuckle.
Secure boot can be disabled, again assuming your OEM doesn't suck
They will suck. See above.
IT would have a shit storm if they couldn't manage this
They will accept what they've been given, as always.
Server admins would have a shit storm if they couldn't manage this
See above.
Someone would lose a job at Dell/HP/Gateway/etc if the end user couldn't manage this
Utter crap.
This effectively makes it impossible, with current malware, to ever take over a PC
No, that is not the case because there will still be vulnerabilities in the OS. However, in order to do that we want it to make sure you cannot install anything but Windows? Interesting. We haven't even got into the ramifications for virtualisation, or how this might work in terms of individual hardware working on a motherboard in the future.......... It's a right mess.
This got modded insightful? Jesus.............
Microsoft have a dominant position in the desktop operating system market.
Why is it Microsoft's responsibility to get keys other than its own installed?
It is, for the same reason MS was forced to offer some choice for the Internet browser in Europe, remember ?
Oh wait, because Microsoft is the big, bad guy?
Big guy: yes, again we are talking about dominant position and its consequences, which lead to more power and possible abuses, thus the bad guy. Don't you remember some MS abuses?
Here's a few points I noticed: [...]
Add to those points: the dominant position of Microsoft. It should help a lot to understand Garrett's answer
No, what the previous poster is stating is that it only impacts manufacturers that do not offer an option to disable the setting. I do not see how this is a MS issue. Microsoft is trying to make the boot process more secure. The only way to do that is to have something like Secure UEFI validate that malware isn't hijacking the system before the OS loads. If your hardware manufacturer isn't giving you the option to disable the feature if you want, then you should take that up with them, not MS. There is absolutely nothing wrong with requiring that OEMs provide the hardware necessary to provide a secure system to end users, because honestly, the largest portion of users have no idea what a root kit is or why they need to be protected from it.
It isn't like you must have secure boot enabled to use Windows 8 and it isn't like they are requiring that manufacturers don't allow it to be turned off. MS isn't doing anything wrong. If a hardware vendor is too cheap to include a switch in the system configuration to turn off Secure UEFI, then don't use that manufacturer. It's that simple. We will never get to the point where we can't do what we want with our hardware because some manufacturer will always realize there is a killing to be made supporting those who want hardware they control. The only risk would be if it was to become a legal requirement, but I don't see that happening any time soon and certainly this has nothing to do with trying to make that happen.
AJ Henderson
It's also to prevent pirated copies of Windows and the cracks that essentially do hijack the boot process to make that copy of Windows appear valid.
signature is pants
Wait, you don't think it's fair that a person -- not unlike yourself -- who owns an assembly business, should be able to attempt to sell whatever they choose? You think someone else's private business should be forced to sell what you want to buy?
The problem is that it's not the manufacturers that *want* to do this. If so, they could have done more by now. They've done the bare minimum that MS demands. It is not in their interest to potentially restrict OS choice, and the anti-rootkit benefits are dubious (unless *maybe* if you lock down only to MS). The problem is measures like this have a large potential to be very anti-competitive, which may be a lost cause since being a convicted monopolist hasn't really slowed them down in the least.
Used to be, you could purchase a computer with no OS at all. Now, the law says that it's illegal to do so.
Show me this alleged law. I can tell you already that you cannot, because you can buy tower systems all day long without an OS from IBM, Dell, and HP. Generally complete Desktop and laptop vendors don't dare to sell bare-bones systems because of market forces and logistics.
Otherwise, Best Buy would be selling computers without OS's,
WTF are you smoking there? Best Buy won't touch *anything* that could possibly 'confuse' or 'intimidate' a random person off the street.
But you (the greater you) yelled and screamed about a decade ago, forcing Best Buy to only sell computers with an OS.
I do not recall *anyone* (apart from Microsoft themselves) begging any government to forbid bare bones systems...
XML is like violence. If it doesn't solve the problem, use more.
I sincerely doubt secure boot is of any concern nowadays. While boot sector malware may still be feasible, it is extremely limited, to the point that it is quite difficult to locate people around you with such a problem.
This effort is more about controlling which operating systems can run on a PC than securing the boot process.