No Windows 8 Plot To Lock Out Linux

First time accepted submitter Bucky24 writes "ZDNet's Ed Bott decided to contact major PC makers to find out the truth about Windows 8 SecureBoot. The responses are encouraging for those of us who run third party operating systems. Dell plans to have a BIOS switch to allow SecureBoot to be disabled, and HP assures us that they will allow consumers to make their own choice as to what operating system to run, though they have not given details as to how."

At first at least.

1. Embrace.

Re:At first at least.

[bryan1945]

We promise! Really!

Re:At first at least.

[dingfelder]

until they patch it

Ed Bott

[bmo]

Ed Bott is nothing more than a Microsoft mouthpiece. Not going to RTFA and almost didn't RTFS because of his name. His hobbies are trolling and shilling for Microsoft.

The only difference between him and Robert Enderle is that Robert is a more honest whore.

--
BMO

Re:Ed Bott

[hedwards]

He's probably technically correct that it isn't a plot to lock out Linux. In practice though, I'd be surprised if it didn't end up like ACPI early on, where MS' implementation was the only one that many vendors bothered with, opting not to fix bugs that MS had a workaround for.

Re:Ed Bott

[izomiac]

I read the article and regret it. The author called Dell and HP "spokespersons" and asked about their company's plans. One non-decision-making employee says Dell is currently planning to provide an option, and a similar HP employee has no idea what SecureBoot is, but can confirm that HP is not participating in a conspiracy (the stated question apparently).

So, after two phone calls and an e-mail, the author's fact-checking work is done, so the article moves on to mocking selected quotes by open source advocates. I'll try to remember Ed Bott's name, as he obviously has such high journalistic standards.

Re:Ed Bott

[hedwards]

When they do it by including undocumented workarounds for a known standard, yes it certainly is evil. And in the case of ACPI, it didn't just affect people that wanted to have pure code, it also affected all the other projects that depended upon the code being implemented to standards. It took years to sort that out and ultimately, just served to benefit MS.

Had MS actually implemented the standard that everybody else was using, the one that Intel provided a validator for, it wouldn't have been an issue.

Re:Ed Bott

[Penguinisto]

True, but how much profit and lock-in can you get from that?

Re:Ed Bott

[sortius_nod]

anything on ZDNet is going to be a Microsoft shill piece.

Re:Ed Bott

[betterunixthanunix]

Quick fix from Microsoft:

"In response to criticism from the US government and the open source community, our secure boot loader will now allow users to run Linux! You will, of course, be running in a hyperviser to ensure that you do not attempt to access the Windows partition or overwrite the bootloader, which is necessary for your security!"

The purpose here is to ensure that the user cannot modify Windows, and the purpose of that is to ensure that DRM systems become effective (i.e. because if you can modify Windows you can extract keys or use cracks or whatever). If Microsoft were legally required to allow dual-booting, they would do it in a way that does not really give you control of your computer, much like Other OS on the PS3.

Re:Ed Bott

[bmo]

not sure what the /. issue with the guy is

If you've ever read more than one Ed Bott article, you'd know. People accuse the FOSS crowd of being stubborn. You have to be stubborn to refute the repeated lies that Ed and so-called journalists and "analysts" like him will spew. It gets old quick.

getting paid to do what you like in a field that you like doesn't make you a shill.

I agree. Mary Jo Foley isn't a shill. She still seems to have her dignity and integrity about her, more or less. She may be a fangirl, but I don't think she's a shill.

In an ideal world, all journalists have integrity and dignity.

Ed Bott has none. That's the issue. For those of us who didn't fall off the turnip truck yesterday, it's blatantly apparent.

--
BMO

Re:Ed Bott

[The+Askylist]

My only question is - how can booting into Windows version anything be called "secure boot"?

Surely the term "locked-in boot" is more accurate?

Re:Ed Bott

[Zancarius]

Okay, I'll bite. Let's take this article as a fine example of his work:

Allow me to illustrate by turning the argument around in an equally cynical way, with an equally inflammatory rhetorical flourish:

People who make their living in the Linux ecosystem are demanding that Microsoft disable a key security feature planned for Windows 8 so that malware authors can continue to infect those PCs and drive their owners to alternate operating systems.

Oh, wait. Now that I think about it, thatâ(TM)s actually pretty close to the truth.

Bott takes a provocative approach by claiming to "turn the argument around" using "equally inflammatory rhetorical flourish"--then implicitly claims it's "close to the truth." In other words, he's essentially linking malware authors with people who are attempting to drive users toward alternative OSes like Linux. Is it a joke? Maybe, but his last statement leaves one wondering if he really does believe it.

He claims that UEFI will magically prevent rootkits from working simply because the BIOS will then be able to detect mangled files. I'm not sure Bott fully understands the purpose of a rootkit, but if one were well designed, UEFI will achieve nothing toward this goal. Indeed, unless UEFI contained signatures for all Windows system files, I'm quite certain that it would be fairly easy for an interested party to circumvent. After all, the objective of a rootkit is to hide the rootkit from examination, and running one under UEFI would simply require hooking into the OS at points that the UEFI does not check. But no, Bott seems to espouse this technology as magical!

Let's not stop there.

In this article, Bott's original post immediately presumes that the reports of MSE incorrectly flagging Chrome as malware were the fault of the users downloading compromised versions or installing on a compromised Windows install. It seems that it never occurred to him that it could have been a false positive in MSE until after it was confirmed with MS.

Now, before you tell me that I'm nitpicking, consider this: False positives are not at all unheard of with antivirus software. Avira, Avast, AVG, et al, have been known to flag valid, clean software as potentially dangerous, and most sensible people installing something from a known-good source that claims the source file is not compromised will immediately assume it's a false positive and submit it to the AV company. While Bott did the correct thing in submitting it, he dismissed it as the fault of users simply because he couldn't recreate the problem. Ah yes, not a chance that MS could do anything wrong...

Oh, and then there's this wonderful masterpiece in which Bott proudly declares Microsoft's victory. While this may be true--Linux on the desktop is unlikely to become a reality--you have to dig a bit to find that he concedes, quote, "On the server side, of course, Microsoft continues to acknowledge that Unix and Linux are strong competitors." You can tell he was salivating over the prospect, though, never mind that Android is, essentially, Linux under the hood.

And what about his article The Hidden Costs of Running Windows on a Mac? Not only does he go out of his way to point out that you have to buy licenses (hint to you, Mr Bott: you're still buying OEM Windows licenses when you buy a Dell), but he points out possible performance issues and the likes. Honestly, I think this is a true shill piece; if someone has decided that they want to run Windows on their

Re:Ed Bott

[bmo]

For many years, Ed was on the side of SCO. His typical characterizing the FOSS crowd as dirty unkempt, unwashed hippies over the same years, and his continual use of the word "freetard" was, and is, reprehensible. And yes, there is a lot of it, which is why I don't want to go diving in the filth.

Not reasonable in the least.

If you read the post I put up here that had the quote from Florian, Florian lists almost all the "paided" shills for Microsoft and calls them "smart" thus aligning himself against FOSS and with Microsoft. Ed Bott is one of them. He left out Paul Murphy, AKA Rudy de Haas.

And that's not ad-hominem.

There is a lot of animosity from people like me that people like them earned.

--
BMO

Re:Ed Bott

[benjymouse]

He claims that UEFI will magically prevent rootkits from working simply because the BIOS will then be able to detect mangled files. I'm not sure Bott fully understands the purpose of a rootkit, but if one were well designed, UEFI will achieve nothing toward this goal. Indeed, unless UEFI contained signatures for all Windows system files, I'm quite certain that it would be fairly easy for an interested party to circumvent.

Ed Bott is right and you are wrong. You believe "signatures" is hashes (because there is no code signing in Linux?). They are not hashes, code/file signing is based on asymmetric keys for integrity protection and is pretty solid (unless you let Debian developers modify the code for key generation). The UEFI firmware will have a table with approved public keys. Any bootloader and its data will have to be signed with one of the corresponding private keys if secure boot is switched on. The bootload'er vendor can update and distribute a new version as long as he signs the bootload'er. If it works anything like Windows kernel signing (but remember this is a industry UEFI standard not exclusively available to Windows) the signature will protect executable as well as config data etc.

After all, the objective of a rootkit is to hide the rootkit from examination, and running one under UEFI would simply require hooking into the OS at points that the UEFI does not check.

Wrong again. The UEFI secure boot is the last missing link in the secure Windows boot chain. Each step will validate the next one before relinquishing control to it (letting it execute): 1) The UEFI firmware validates the signature of the bootload'er. If the bootload'er has been tampered with UEFI will *not* execute the bootload'er 2) Bootload'er runs, loads OS boot definitions, checks (through signatures again) that they have not been tampered with. If the chosen OS is set to secure boot, the bootload'er checks the OS integrity (through signatures again) before launching the OS. 3) The OS gains control and before loading kernel executables and kernel mode drivers, it checks that they come from signed cabinet files. If they don't the kernel will refuse to load them.

Microsoft did not require that system vendors and motherboard vendors makes it impossible to switch off. Microsoft does not require that their public key is the only one in the system. In order to get the "Designed for Windows 8" sticker they *do* need to 1) enable secure boot by default, 2) pre-register Microsofts public secure boot key, 3) Not provide a programmable interface for switching secure boot on/off and not provide a programmable interface for changing the registered secure boot keys.

There is some FUD speculation about a conspiracy that Microsoft will secretly require the vendors to *enfore* secure boot with Microsofts key exclusively. That would prevent other bootload'ers from loading. This is despite the fact that Microsoft has publicly said that they prefer that vendors do not do this but that they cannot mandate this, as it is ultimately the vendors choice, not Microsofts. In fact, it would hurt Microsoft as it would exclude the enterprise and corporate sector from downgrading to non-secure boot aware OSes like Windows 7, Server 2008/R2 etc.

This issue had the wrong address from the start, and that is what Ed Bott is ranting about. This is about HW vendors, not Microsoft.

Windows 8 will not require secure boot, but will support it. Windows 8 will boot on any machine, secure boot or not. The issue is whether hardware/system vendors will provide the on/off switch *or* allow the key table to be updated by the user. So far not a single hardware vendor has said they will disable the on/off switch, if you disregard the very suspicious claim by Red Hat employees that they "know" one vendor who has "privately and anonymously" declared that they will disallow Linux. Several vendors (Dell, AMI) is now on record for saying that they will allow secure boot to be switched off while others has declared their intention to do so.

Re:Ed Bott

[makomk]

Microsoft created the tools that generated the broken BIOS code in the first place, and they designed them in such a way that they always generated broken, non-standards-compliant code - in fact there are reasons to believe this may have been deliberate.

Re:Ed Bott

[benjymouse]

First, you're missing the whole point. Root kits don't come in through the boot loader. That was the way it was done when DOS was the most used OS. Instead, they either use an exploit against the OS, or simply uses Administrator privileges to hook into the system (many users are still running as Administrator, and those who still have UAC turned on, have no idea when it's ok to click "allow".

You should have followed along then. Windows (the x64 editions) since Vista is using kernel and driver signing. The kernel will *not* load from a cabinet file unless the cabinet is signed with a key trusted by the kernel. Furthermore, the kernel will *not* load a kernel mode driver unless it has been signed using a valid code certificate issued by a trusted issuer (e.g. Verisign).

This means that a rootkit cannot tamper with kernel executable files or cabinet files in order to insert itself during boot. As soon as it changes the content of a cabinet file, the signature will not validate and the kernel will refuse to load it.

So how do one circumvent this? Either by creating a malicious driver and somehow obtain a private key to sign it. One can steal it from an ISV or try to trick the issuer into believing you are a legitimate business. Either of these options rely on a certificate which can be revoked. So, when your malicious code is discovered on a single system, the certificate you used to sign the driver will be revokes and after that your code will not load during boot.

Windows x64 has yet another obstacle: Having your driver with loaded is not enough. You need to hook into the kernel to do your evil thing. But Windows x64 also has online integrity checks. Basically it checksums many/most of its internal tables, and if your driver tampers with them, the periodic integrity checker will halt the system.

So, what's left. Contrary to what you believe, the good old bootsector hack is back: http://www.dataprotectioncenter.com/antivirus/sunbelt/how-the-tld4-rootkit-gets-around-driver-signing-policy-on-a-64-bit-machine/. By taking control early on, a rootkit can continuously check for when a know driver/module is loaded and then modify it in memory.

This latter attack vector is precisely what is being addressed by UEFI Secure Boot.

A couple of hardware makers have said they will not be adding an on/off switch.

Yeah? Who?

Wow, quite the article...

[fuzzyfuzzyfungus]

While nice, if true, to hear that OEMs will be doing (part of) what people would like to see(specifically, having an option to disable 'secure boot' is better than nothing; but what you really want is the option to do a keyfill with trusted keys of your choice: signed boot components make good sense, it's just not being able to choose who is trusted to sign them that is an issue); this article could hardly be any smarmier or less informative.

"In response to the FUD campaign of the freetards, I asked some PR people. Dell said 'yes', HP emitted word salad, AMI said that they would do whatever their customers felt like. Case Solved!" If it weren't for the smirking invective, the whole thing could have been boiled down to a single paragraph(or, heaven forfend, bulked out with technical information...)

Re:Wow, quite the article...

[hedwards]

At that point, you might as well ditch it completely and just have a special boot chip that can be made writable via jumper and most of the time set to read only.
It would solve the problem without the need for such a scary possibility as the vendor being able to lock you out of your OS of choice.

Re:Wow, quite the article...

[fuzzyfuzzyfungus]

As best I can tell, EFI was what happened when somebody looked upon the BIOS, saw that it sucked compared to the OS, and decided that(rather than building a new firmware aimed at getting into the OS as simply and quickly as possible) they would build a BIOS large enough to possess every vice of an operating system and leave implementation to the capable hands of the PC OEMs, whose dedication to software quality is legendar...

Re:Wow, quite the article...

[wzinc]

I think the issue is n00bs will try Linux for the first time, fail, and think it's no good. Ubuntu, etc will have to plaster "turn-off SecureBoot" all over their site. Of course, like most BIOSes, it will be poorly translated, and you'll have to hunt all over for the right setting. People are always saying how closed Apple is on this site, but they specifically wrote a BIOS emulator so you could run Win/Linux on a Mac. Apple will be the most open hardware maker after this!

Re:Wow, quite the article...

[Microlith]

The primary benefits come in when you're a major system buyer needing to administer many machines, possibly before the OS comes up. But it's better than the BIOS as a whole due to not being limited to the 16-bit modes of the CPU, instead switching rapidly into the 64-bit environment immediately, far easier to develop option ROMs for, and if set up properly, and with properly written option roms (a.k.a. drivers) can boot much faster.

Of course, all of this could have been had with OpenFirmware but Intel decided they were too good for that.

Re:Wow, quite the article...

[znerk]

Ubuntu, etc will have to plaster "turn-off SecureBoot" all over their site.

... which Microsoft can then point at as an obvious indication that *nix is evil and/or insecure.

Not really that surprising

[robot256]

After all, when you're simply pushing commodity hardware with no particular value added, adding "can run non-Windows OS" is just another bullet-point feature you can add to your list, and one that even normal people will look for "just in case" they want to try out this Linux thing or whatever. What's the point in locking yourself in if there isn't anything special about the hardware in the first place? Even Apple doesn't limit what its hardware can run, only what its OS will run on.

Besides, there are plenty of enterprise customers running Linux servers and workstations, so making that an option would just add uncertainty to the supply chain and make those customers uncomfortable.

Re:Not really that surprising

[betterunixthanunix]

even normal people will look for "just in case" they want to try out this Linux thing or whatever

The last time I dealt with a "normal person" buying a computer, the conversation went like this:

Me: "...this has 2 gigabytes of ram, which should last you a few years."
Her: "It's so ugly! What about that one, that one looks prettier!"
Me: "That one has a lower end processor and less memory. Are you sure you want something that is less capable?"
Her: "Look they are letting me pick the color!"

Non-technical people are just that: non-technical. Computer makers and especially Apple know exactly how to take advantage of such people, which is what "secure boot" is all about. This is about ensuring that customers can be locked into DRM-laden platforms, plain and simple. Dell will probably have the option described in TFA...in their high end workstations, that are prohibitively priced, with the option disabled for "consumer" systems. My guess is that this will not happen in the first generation of systems with "secure boot," but more likely in the second or third generation, when more "strategic" platforms are deployed out of the box for which DRM is a key part of the control.

Re:Not really that surprising

[mehrotra.akash]

I have personally seen a gril going and asking the salesman : which of these laptops are available in pink After that she bought the one with the least weight among the pink ones She did not check the config even once

Re:Not really that surprising

[Gerald]

I'm confused. Are we supposed to go "tsk tsk" and be dismissive or be impressed that she had clear and concise specs which the vendor was able to meet?

Re:Not really that surprising

[mug+funky]

in a dept store, the laptops all have the same features, save for some corner cases.

there's no shame in "just wanting something to browse on, and maybe some other stuff". if that's what you want, then every machine in the store is good enough.

given that, why on earth wouldn't you choose the prettiest, lightest, cheapest one (though i'd include battery life as well, because using these things in bed with the power plugged in causes awful things to happen to the power jack).

my wife's getting an iPad 2.0. she knows how much i dislike Apple, but the thing is... it's the best tablet out there for plain old tabletty stuff, and has some features the others don't offer, at the same price point.

i can't forbid her to buy it, or it'd expose me for being an arrogant fuck (she MUST NOT FIND THIS OUT about me).

of course, i'll get her old netbook with HDMI and a fuct screen. i'll nuke win7 and put linux on it, like my other netbook. horses for courses.

Re:Not really that surprising

[kimvette]

For all you know, she could be a hardcore geek, and just wanted a cheap notebook she doesn't care about to surf the web at Starbucks.

Not all notebooks have to be powerful enough for realtime 3D modeling and nuclear reaction simulations. :-)

Re:Not really that surprising

[jejones]

"What's the point in locking yourself in if there isn't anything special about the hardware in the first place?"

Don't you remember Microsoft's campaign against "naked PCs" (i.e. computers sold without an operating system)? I'm sure that we'll see a similar campaign for OEM systems and motherboards set up to preclude installing a non-MS operating system.

Load your own keys?

[tchuladdiass]

I want to leave secure boot enabled, but put me in charge of the keys. That is, I want to load my own public keys into the system (through a secure channel, such as a bios screen or flipping a physical switch, for example).

Re:Load your own keys?

[fuzzyfuzzyfungus]

You crazy consumer, you. Next you'll be wanting to know your TPM's private endorsement key.

Re:Load your own keys?

[tchuladdiass]

The point is to know that what I'm booting up is what I installed. You know that thing that was invented back in the 80's or so, called a "boot sector virus"? Yes, I know it's kind of hard to get one of those installed on a Linux system, but there are a number of server systems that have been "owned". Right now if I suspect that something is fishy with one of the servers I'm tasked with maintaining, it would be nice to know that all the automatic validity checks I put in starting with the initrd image on up are actually trust worthy. And when you've got several hundred systems to maintain, each with their own patch schedule and different customer group, every little bit helps.

I doubt that Microsoft would try this

[MrKevvy]

They were successfully sued (albeit more of a slap on the wrist) for antitrust violations simply for bundling a browser with an operating system.

Colluding with hardware manufacturers to actually lock out rival operating systems making them an enforced monopoly is several orders of magnitude more severe. Why would they risk that when other operating systems have such a tiny market share anyways? The possible penalties are not worth it for a small increase.

Re:I doubt that Microsoft would try this

[walterbyrd]

MS would just say that the hw makers decided to do it. Besides, MS never gets more than a slap on the wrist.

Why would MS do this? The same reasons that MS funded the scox-scam, and bribed officials in the OOXML scam.

Re:I doubt that Microsoft would try this

[Lando]

I may be way off base here, but though Microsoft was declared to be an illegal monopoly, wasn't their punishment settlement basically an agreement that gave them more control and profit than they had before? I'd have to go back and read through the documentation. That being the case, wouldn't it be in Microsoft's best interest to get in trouble again. Either way, it would be 10+ years before the case went to trial and by that time it would be the defacto standard .

Disabling secureboot implys a Non-Win OS is risky

The requirement to disable Secureboot in order to run a non-Windows OS will imply that the other OS is less secure. Just another way for M$ to try and make the hardware pseudo-proprietary. This is not much different than the 'Windows Key'. Ask yourself, Is this an attempt to incorrectly solve a problem that doesn't exist or just another FUD tactic from a behemoth corporation?

No, that's not a solution

[liquidweaver]

Disabling secure boot is not a solution - it's crippling the security, needlessly. I'd love to hear my Dell rep explain to me on my next round of server purchases that I cannot use a fantastic feature to protect the security of my linux servers because they were too lazy/corrupt to enable me to use my own platform key. I will buy from the vendor who allows my to set the PK, and will not from those who refuse. Period.

Re:No, that's not a solution

[mystik]

Remote attestation will verify the trust all the way to the root platform key, be it Microsoft's or another vendor.

The power to install my *OWN* key, means *I* have the power to trust that *my* server, with *my* software has not been compromised. This is kind of a big deal, and helps protect against all sorts of rootkits.

A toggle that is simply "Use MS's Key" and "Use no key at all" is not an acceptable option.

Re:No, that's not a solution

[betterunixthanunix]

I get the feeling that, come your next server RFP, your HP and Dell sales reps are going to ask you which secure boot version you want - Windows, ESXi, RedHat, or SuSE (maybe, but only because Intel has a hard-on for it as their own preferred server distro). You really won't have any other alternative.

I doubt it, there are too many businesses that need to be able to run whatever they want on their servers. Right now businesses want more flexibility, not less.

What you can bet on, though, is that you will never be allowed to use any of those servers to play movies, music, or video games. The split between "consumer" systems and "enterprise" systems is going to be enforced with secure boot. Consumers will not be able to install their own OSes, or if they do disable or modify secure boot, they will permanently lose the ability to run movie or music playing software. My system has an option to disable the TPM...but once disabled, it can never be reenabled, and there is no reason to think that the new boot process will be any different.

Hackers enjoyed a 30 year victory period, where PCs were available to all and controlled by their users. That period appears to be ending, with the same entrenched media interests reasserting their control. At the end of the day, the secure boot process is about marketing PCs as media consumption platforms. You cannot run whatever software you please on your cable TV box or satellite receiver, nor can you run any software you please on your DVD/Bluray player, nor on your video game consoles. The goal is for your PC to act as a replacement for all of that, and the loss of control is a key step in that process.

Duh

[bigstrat2003]

There's never been any real reason to believe that locking down of this feature would happen, apart from FUD. This whole thing is a tempest in a teapot, and it's frankly sad to see how many members of the community are willing to believe that "on by default" necessarily means "unable to turn off".

Re:Duh

[Sasayaki]

For now.

Features like this tend to creep their way in slowly.

- It's something you can turn on.
- It's on by default, but you can turn it off easily.
- It's on by default and you need a CS degree to turn it off.
- It can only be turned off by hacking your system.
- It can only be turned off by hacking your system, and this is illegal to do.

Re:Duh

[betterunixthanunix]

There's never been any real reason to believe that locking down of this feature would happen, apart from FUD

Yeah, because we never saw a company try to pull something like that...

http://en.wikipedia.org/wiki/Xbox
http://en.wikipedia.org/wiki/Playstation_3
http://en.wikipedia.org/wiki/Nintendo_wii

Let us not forget that media consumption is widely considered to be a strategic area for personal computer vendors to move into. We are going to be seeing more and more entertainment moving to PCs, and hardware and software makers can make their systems more competitive in the entertainment marketplace by locking down their products. Remember how the CSS keys were obtained? That is the sort of thing that movie studios want to prevent people from doing in the future, and that means that they are going to fight to ensure that people do not control their own computers.

Just you wait. It won't be the first generation of UEFI systems, it will be a subsequent generation; the feature will be quietly slipped into consumer systems. Companies will advertise to consumers how their systems support some new video distribution system or format, and most people will never even question the loss of control (or notice it). The free software community will be forced to buy high-end workstations or systems from lesser known PC makers, and will be left out of the loop on new media formats as we already are with mainstream gaming.

Re:Duh

[exomondo]

For now.

Features like this tend to creep their way in slowly.

- It's something you can turn on.
- It's on by default, but you can turn it off easily.
- It's on by default and you need a CS degree to turn it off.
- It can only be turned off by hacking your system.
- It can only be turned off by hacking your system, and this is illegal to do.

out of interest, where has such a thing followed that progression?

Re:Duh

[Microlith]

Even if your link showed that there was an incredible concerted effort to cram DRM down the throats of unwilling consumers everywhere

And yet, in the face of DRM system after DRM system being introduced, you deny that the industry isn't explicitly taking this route? HDCP was created by Intel, this boot lockout method was developed by a consortium including Apple, Microsoft, and Intel as the biggest players. Virtually every ARM chip includes such system-crippling capabilities and it is regularly deployed. Microsoft has created and unleashed multiple DRM systems, Apple continues to use DRM on virtually everything except Music and OS X. Ebooks are plagued out the gate with DRM.

They have been trying for a long time now to ram DRM down our throats. Here is the perfect chance to take yet another possible avenue of piracy away.

it doesn't provide evidence that PC manufacturers are going to disable the ability to change the secure boot parameter

No, but it's a pretty easy conjecture. Consoles, tablets, and smartphones have shown that so long as you don't unduly hinder people's ability to tune out and consume, they generally won't put up a fuss. And as a bonus, you can recruit them to shout down those who disagree with your actions.

locking the OS down to Windows doesn't do any good unless you ensure that your media could only be played on Windows... but that step alone fulfills the requirements, because simply installing an alternative OS won't circumvent that restriction

Well, they don't need to worry about ensuring it doesn't play on other platforms because you won't be able to boot other platforms. And if they are truly concerned, they could always store the keys in a TPM module, and ensure it goes from the TPM module to the CPU's cache for decryption and ensure it never hits system memory.

Re:Duh

[makomk]

If you've got an OEM machine, you probably can't change most of the BIOS settings. A lot of OEM BIOSes even do things like disabling virtualization and removing the option to re-enable it.

No. Its worse than it looks.

[unity100]

If it was something that was really locking linux out in an apparent fashion, matter could be taken into courts.

But now customer is not prevented from doing it - but, this time will need to be able to get into bios, turn it off, and only after that install linux.

as you can readily agree, vast majority of computer users would not even know what 'bios' was. so, if a non-tech person from idaho was recommended linux, and got ahold of a cd and attempted to install it ............ go figure.

This situation will make it slower for linux proliferation in mainstream, due to the tech aptitude threshold. And conveniently too - you cant argue against it because if someone knows what a bios is and what is the setting for allowing other oses, s/he can do it. if not, s/he can not. so convenient.

CS degree? try MS CERT to trun on boot os MS old o

[Joe_Dragon]

CS degree? try MS CERT to trun on boot os MS old or IT CERT / TECH SCHOOL / IT license to trun on boot Linux.

any ways windows lock in with app store lock in will be a MAJOR Anti trust issue.

Also there are industrial systems ruining old software / hardware that will be need to be on there own and I don't think people will like having to be locked into coding for what even UI MS wants to force on you as part of there locked down app store for your system that is running industrial systems.

What about nuclear plans and other places with systems that don't run windows?

Re:For what its worth

[betterunixthanunix]

How about the freedom to choose an independent mechanic?

http://en.wikipedia.org/wiki/Motor_Vehicle_Owners'_Right_to_Repair_Act

self-described

[PopeRatzo]

From the comments at the ZD story:

Protecting 99% of users is more important than catering to the whims of a whiny 1%.

Where have we heard that before?

Can you believe Microsoft is using the language of Occupy Wall Street to try to position itself as the "masses" fighting the "whiny 1%" of people who prefer OSS?

ZDNet, Ed Bott, and some Microsoft executives all need to burn in hell.

Missed the point

[betterunixthanunix]

If your computer is going to run consumption-oriented software, then a priori its owner is assumed to be untrustworthy. This is indeed a security engineering problem: they want to prevent a repeat of the CSS key leak, which was only possible because DVD playing software could be examined. If you choose not to forfeit that sort of control over your computer, you will simply not be allowed to play new movies (not immediately; think 20 years into the future).

"If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them." -- George Orwell

Not everyone needs higher end hardware

[perpenso]

I have personally seen a gril going and asking the salesman : which of these laptops are available in pink After that she bought the one with the least weight among the pink ones She did not check the config even once

And if she is just going to browse the web, maybe use an email client (more likely web based email) and maybe run the bundled word processor what is the problem? I think we are long past the point where even the most modest computer at the local retailer has performance far beyond the needs of casual users. Hell, a tablet plus a bluetooth keyboard is probably an option for many such users.

Re:Disabling secureboot implys a Non-Win OS is ris

[Microlith]

It will be true, but not the fault of the OS (rather, an unfair and untrustworthy means of key distribution.)

Re:Careful there...

[Rogerborg]

Uh... it's not ad hominem to point out that the listed "experts" have a track record of being wrong, wrong and wrong again, and have been repeatedly caught with their hands in Microsoft's pockets.

Groklaw (under Pamela Jones) has called things correctly far more often than not.

Full Disclosure: On a personal note, I detest that whiny martyr PJ and her horde of White Knight sycophants, but I do have admit that it's hard to find examples of her getting things wrong.