Microsoft Certificate Was Used To Sign Flame Malware

wiredmikey writes "Microsoft disclosed that 'unauthorized digital certificates derived from a Microsoft Certificate Authority' were used to sign components of the recently discovered Flame malware. 'We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,' Microsoft Security Response Center's Jonathan Ness wrote in a blog post. Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks. In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed."

Surprised this isn't regulated more closely

[danbuter]

I kind of thought Microsoft would make damn sure someone else couldn't duplicate their signatures (barring an employee or a government doing it).

Re:Surprised this isn't regulated more closely

[danbuter]

*certificates not signatures. Doh!

Re:Surprised this isn't regulated more closely

[Dogtanian]

I kind of thought Microsoft would make damn sure someone else couldn't duplicate their signatures (barring an employee or a government doing it).

Given the blurb for this story that also appeared today...

All three were most likely developed by a Western intelligence agency as part of covert operations [..] consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets

I think that *this* part of your comment:-

(barring an employee or a government doing it)

may answer your own question. Aside from the fact that governments would have had massive resources to start off with, it's also probable that MS were (at least) forced to allow those governments access or involvement at some level to otherwise secure or confidential aspects of their software.

If this is the case, then at the very least, they could have used such knowledge to give themselves an advantage. Going one step further, it's possible that they used or exploited this to help steal or get access to those keys.

But given that it's widely claimed that the US government was involved in the creation of Stuxnet, it's equally plausible that MS willingly gave- or were pressurised into giving- them those certificates knowingly, even if they might not have known exactly what they were for.

This is just speculation- I don't know any of this for sure, or have any special knowledge of the situation. But it does add up to being at least plausible.

Re:Surprised this isn't regulated more closely

[fuzzyfuzzyfungus]

The Feds may also be leaning on MS/Verisign/whoever; but this instance appears to be one of rather serious fuck-uppery. From MS's blog entry:

"What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure."

So, guys, turns out that we accidentally built our phone-home DRM such that the cryptographic "OK, your CALS are worthy unto Redmond and thou mayst remote desktop" message is also a valid signing key with a chain of trust going right back up to a default-trusted Microsoft cert... Oops.

Now, given that (so far as we know, clearly team AV isn't in any position to tell us) this little mistake was not widely known or exploited, clearly the Flame guys were on the ball(and far more interested in spying on Iran or whoever than in improving the security of domestic computers... thanks a whole fucking lot on that one, feds).

Re:Surprised this isn't regulated more closely

[mcgrew]

So much for "SafeBoot". maybe we shoulc now start calling it "unsafe boot"?

Re:Surprised this isn't regulated more closely

There's the possibility that the certificates are in the Windows source code, which I believe government agencies like the DoD request to have before they use proprietary software like Windows. However, the comment by fuzzyfuzzyfungus seems to indicate the attacks could've used an easier vector.

Re:Surprised this isn't regulated more closely

[Spyder]

Stuxnet was signed by stolen certificates: http://www.securelist.com/en/analysis/204792208/Stuxnet_Duqu_The_Evolution_of_Drivers?print_mode=1 . it's possible that Flamer was signed by compromised certificates, but if we believe that Stuxnet and Duqu were the products of a nation state level actor then we could conclude that Flamer is in the same category.

Re:Surprised this isn't regulated more closely

[Spiked_Three]

"This is just speculation- I don't know any of this for sure, or have any special knowledge of the situation. But it does add up to being at least plausible."

I have a little knowledge, not a lot, and yes this is exactly the kind of thing that can happen. it is quite impressive what happens when as a company you tell NSA no. In my limited experience, it changes to yes less than a month later.

Simple reality, microsoft probably let a bug/flaw slip through a while back, if that was not the case then they were told to. laugh all you want, but if any other operating system had been the target, do you think the outcome would have been any different? oh, and here is another amazing fact; it will happen again if desired.

Re:Surprised this isn't regulated more closely

[leuk_he]

Well,

YOu are already thrusting MS to run code (the "OS") on your computer. The boot is then the least of your worries. Unless you want to run an other OS. But as red-hat concluded, buying a 99 dollar certtificate was a better option than to setup your own CA.

Re:Surprised this isn't regulated more closely

[Vlad_the_Inhaler]

Back when Kaspersky first went public on Flame, I saw that one if the Israeli government ministers essentially said "didn't we do well!" a day or so later. I don't remember his name, it meant nothing to me.
Of course as a politician he could well have been misinformed, lying (trying to position himself as a hawk) or just too stupid to keep his mouth shut. On balance, I tend to see Israel being wholly or at least partially responsible - "partially" would probably implicate the US as partners. Why do the Iranians persist in using Windows?

Re:Surprised this isn't regulated more closely

[shentino]

Considering the recent escalations in state sponsored cyberwarfare I wouldn't be surprised if the NSA was involved in microsoft singing this stuff.

Re:Surprised this isn't regulated more closely

Sorry, but when you run Windows, MS does the thrusting.

Re:Surprised this isn't regulated more closely

[Errol+backfiring]

No. "Protectionistic boot" is the most truthful term.

Re:Surprised this isn't regulated more closely

[gstoddart]

YOu are already thrusting MS to run code

Mostly it feels like Microsoft is thrusting us. ;-)

Re:Surprised this isn't regulated more closely

And if you like the thrusting, you buy Apple.

Re:Surprised this isn't regulated more closely

After about 5 years of not coming in contact with anything even vaguely Microsoftish (except maybe teller machines in check-out lines and the ticket terminals at the Portland Max stops), I just reinstalled XP on an ageing yet speedy little 3ghz p4 the other day and after getting the various sp's downloaded and installed, jumping through the usual hoops of somehow getting it registered correctly and setting things up all nice and pretty, I just have to say: ye gods - I hate Windows. I really, really just do.

I read somewhere a long time ago that the OS should be invisible to the applications when you're using them and I think this never rang truer than of Microsoft's 2,000lb Gorilla. After 5 hours of getting everything nice and tidy so actual programs could be installed, I ran back to my laptop (debian), opened the Gimp and just sat there drawing kindergarten-esque doodles for an hour to meditate the negative OS microwaving I'd just gotten out of my skull. I honestly hate to think I'm an OS hater, but cheesez...

Point? I don't suppose I have one other than exorcising that particular demon in public. However, I think that any company that has to protect ITSELF (claiming it's protecting me) when it's product is on my computer is NOT worthy of my trust and will never earn it by providing their own "certificates".

Please don't beat me for venting; just had to get that out...

Re:Surprised this isn't regulated more closely

[Alarash]

I attended a Check Point keynote last near in Barcelona, where the speaker described how Stuxnet came to existence. Stuxnet also used digitally signed certificates used to authenticate a program's developer (usually a company). One came from Realtek, I forgot the other one.

The presenter said that these certificates had been signed by the CA that Microsoft delegated to these companies. Normally these CA servers stand in highly secured room, with no network connection whatsoever. The certificates still got leaked. Something similar must have happened here. These are highly sophisticated pieces of malware, with virtually no expense spared to build them (for the Stuxnet example, you had to have your own Siemens PLC, something huge and expensive and hard to come by). So it's not really surprising they could just pay a disgruntled employee, or hack into the building, or doing some James Bond stuff, or god knows what, to get their hands on these certificates.

Re:Surprised this isn't regulated more closely

[cavreader]

And you and an every other person pushing this thesis have never produced a single piece of variable evidence that any government agency forces MS to do their bidding or install back doors to their systems. If they did this with MS why not do the same arm twisting with Apple or any other major software development firm? It would be nice if someone starting using facts instead of speculation when evaluating the world around them but the problem is getting worse by the day. All the fucking retards growing up believing everything they read on the Internet is true or if they encounter a piece of information that offends their sensibilities they just go hunt down another site that can provide them with more palatable information.

Re:Surprised this isn't regulated more closely

[SomePgmr]

Didn't we more-or-less admit having made these (likely in partnership with Israel) at the end of last week?

Re:Surprised this isn't regulated more closely

[Spiked_Three]

ah, i see you have never dealt with the NSA, never signed an agreement for secret information, or a generic security clearance, and thus have no idea what you are talking about. and what evidence do you have that apple has not done the same, other than the total lack of market, especially in iran?

Clamp it troll.

Re:Surprised this isn't regulated more closely

[detritus.]

I don't buy it. Microsoft would give their left nut to maintain their revenue stream from governments.
1. Sign code.
2. Deny and denounce the practice, promise to "fix the problem".
3. PROFIT.
4. Repeat.

Re:Surprised this isn't regulated more closely

[detritus.]

Sure gives this more credibility, don't it?

https://en.wikipedia.org/wiki/NSAKEY

Re:Surprised this isn't regulated more closely

So far so good, check this out
http://www.microsoft.com/israel/rnd/index.html

Re:Surprised this isn't regulated more closely

[hairyfeet]

So let me get this straight...you installed a TWELVE YEAR OLD OS and then are BITCHING because the company actually gave you patches instead of forcing you to upgrade like the OS you are singing the praises of? please stay with Linux, you are obviously too big of a dumbass to run Windows.

Re:Surprised this isn't regulated more closely

Didn't we more-or-less admit having made these (likely in partnership with Israel) at the end of last week?

Some guy published a book claiming the Obama administration was behind it, but short of buying the book I had no way to verify that story at all. Nowhere in the NYT article (advertisement) was there mention of any source. It was all reported as fact, but for all I can tell it is fiction.

Re:Surprised this isn't regulated more closely

Why should I believe you over somebody who disagrees with you? What makes you more credible than him? I'm not saying that what you say is implausible, it's just anyone can sign up for an account here and make claims. Something like a real name, employer, and what you worked on would help with your credibility gap. If you're not willing to divulge any of that, which I could understand, then you have no standing to call other people trolls for disbelieving you.

Re:Surprised this isn't regulated more closely

[Crosshair84]

ageing yet speedy little 3ghz p4

Sorry, the problem is not Microsoft, it's you installing Windows XP on a machine that old. Our customer service people at work are running 3ghz P4's and they ONLY run our billing software and we are going to be trashing those machines later this year because they are so slow. We are debating about going with an Atom or E350 based board or just future proof things by using the 1155 boards we use for the DVRs we sell.

All my computers at home are built with the old stuff from work, a P4 would be thrown in the dumpster and never made it to my car. If it's not a dual core I don't bother with it. They are too old, too power hungry, and too slow. You're so spoiled with modern hardware you're forgetting what life used to be like. I still have my P166 MMX laptop with Windows 98 and installing Windows 98 takes half a day. If you're not on food stamps, using ISA slots, or in a 3rd world country you have no reason to be running a single core P4. The local thrift shops have dual core computers.

You also neglected to say how much RAM you had in that machine. My bets are it had 512mb or less, likely 256mb unless you upgraded it. OF COURSE XP is gonna drag ass with that little RAM. You're trying to tow a boat with a Ford Fiesta and then trying to blame YOUR poor planning on the Fiesta. Though to be fair, you admit to having next to no recent Windows experience, so chalk this up as a learning experience for future reference.

Re:Surprised this isn't regulated more closely

[sjames]

However, this shows that the main 'benefit' MS claims for their lock in and lock down scheme is likely just hot air. If they can't keep their cert under control, the 'safe boot' becomes all downside.

Re:Surprised this isn't regulated more closely

[sjames]

But isn't Windows (then and now) supposed to be easy while Linux requires you to be some kind of computer genius to use (according to MS PR)?

Something doesn't seem quite right there!

Note that I can install a 12 year old Debian system, do a dist-upgrade and be running the latest and greatest. Of course, since I can as easily download a current iso without Debian grabbing at my wallet, there's no need to do that.

Re:Surprised this isn't regulated more closely

[dacut]

Normally these CA servers stand in highly secured room, with no network connection whatsoever. [...] So it's not really surprising they could just pay a disgruntled employee, or hack into the building, or doing some James Bond stuff, or god knows what, to get their hands on these certificates.

I'm a bit skeptical about the seriousness that the hardware vendors treat security. Depending on how rushed to market the product is, a lot of corners are cut in both hardware and software development -- and Realtek seems to be no exception in my experience. We see malware on fresh-from-the-factory hard drives and USB drives, tagging a ride on drivers, etc., all the time.

And the Stuxnet architects said it best: "It turns out there is always an idiot around who doesn't think much about the thumb drive in their hand."

Re:Surprised this isn't regulated more closely

[cavreader]

You are wrong about my employment history. Just keep making up stuff without facts only supports my statement.

Re:Surprised this isn't regulated more closely

[smash]

Because someone having to steal a certificate first, and then get malware to spread significantly before the certificate is revoked is so much less secure than not signing your code at all?

Oh please. Next you'll be saying we shouldn't bother to lock our doors because someone can just throw a brick through the window too, yes?

Re:Surprised this isn't regulated more closely

[smash]

Compare it to a Linux install from 12 years ago.

Re:Surprised this isn't regulated more closely

[smash]

More importantly... compare it to a Linux install from 12 years ago, that you then attempt to upgrade to current security patch level without breaking it without a reinstall.

Re:Surprised this isn't regulated more closely

[Spiked_Three]

pretty simple actually. I said "impressive things happen when you tell the NSA no", you can take that, as it is, and choose to believe it or not. your opinion from there on will be highly influenced by how likely that statement is to be true or not. if, like the poster who referred to me as "All the fucking retards" do not believe it, I have no interest or need in trying to convince you otherwise.

but for research, mike partain, employed since the 80's in the washington DC area in both government and non government IT activities, including, naval personnel, various gigs for three letter agencies I am legally obligated not to name, finished a career working for the retired chief of cryptography CIA, company called Tecsec. he was the co-creator of the cryptos statue at the CIA that has yet to be cracked (I think its still unbroken, I could be wrong). during my time with him, i never worked on a classified project, but i certainly was aware of impacts classified projects had on the company. Anything else?

Re:Surprised this isn't regulated more closely

[smash]

Could be done just as easily without microsoft's involvement, and without Windows being involved. Government pays/bribes/extorts major CA to give them the private key used by X secure service. Service is then subverted. Whether it is for code signing, HTTPs, etc.

Some people seem to think that PKI is a silver bullet. It's not. However just because it can't protect against 100% of edge cases, doesn't mean that it is worthless. Any slashdotter worth their salt should know that security is built in layers. PKI is just a single layer.

Re:Surprised this isn't regulated more closely

[sjames]

Note that I can install a 12 year old Debian system, do a dist-upgrade and be running the latest and greatest.

Re:Surprised this isn't regulated more closely

[zyzko]

Umm...Siemens PLCs are not that hard to acquire, sure, there are some safeguards that they don't sell you all the parts you need to make a centrifuge capable of enriching uranium from the same shop. But those S7-300's and their control/programming software is not hard to come by, an ebay search gets you everything you need to test your version of stuxnet on a real hardware for about a thousand dollars.

And if you work in any decent sized engineering company you can just "loan" the demo units.

In the case of Stuxnet Verisign was at fault - they somehow screwed up along the way - leaked the JMicron and Realtek signing certificates or actually someone at JMicron or at Realtek (or someone impersonating as employee wanting to sign code legitimately) got someone to sign something they should not have signed.

Not a first time, and won't be the last - if someone paid somebody is irrelevant, there seems to be several ways to hack the signing process socially.

Re:Surprised this isn't regulated more closely

[hairyfeet]

I have actually tried this BTW, just to shut up those "Linux is ready for the desktop!" types, only instead of 12 years old I gave them a HUGE advantage by only going back 4 years, less than half the established MSFT lifecycle for OSes. What did I get? BROKEN BOXES, nothing but broken boxes as far as the eye can see.

In just the past 4 years they've got from ALSA to Pulse, GNOME 2 to 3 and KDE 3 to 4, it was just a fucking mess! Wireless wouldn't work, Ethernet would just drop in and out, give audio up it was just a mess, and of course the Nvidia and ATI drivers were crapped on, the Intel worked but only in VESA mode. So what did I get told then? "Well you should use Red hat, its supported" yeah at $399 a year it IS supported, its also 40 times the cost of Windows over that same 10 year cycle.../facepalm/

For all those that think Linux is ready I invite you to read this article by Ingo Molnar, who is one of the head develeopers at Red hat. if ANYBODY would know what is wrong with Linux this would be the guy, and he says mistakes such as lack of an ABI for drivers and a system where the devs try to "own" and control the repo has led to the "death cries" of the Linux platform. It is simply impossible to do QA on 20,000 packages and over a billion lines of code, it simply can't be done. THAT is why Linux doesn't work for the majority, because it simply can't keep up with the changes in hardware and software.

Re:Surprised this isn't regulated more closely

No, that's if you like phisting.

Re:Surprised this isn't regulated more closely

[tftp]

Why do the Iranians persist in using Windows?

In case of Stuxnet Iranians simply bought the centrifuges with control boxes and all. You cannot rewrite *that* overnight, not without engineering documentation that the customer doesn't have.

Probably other cases are similar. If a country has a large installed base of Windows it cannot drop it all overnight. It would be chaos everywhere, with every pension payment missed, with all paychecks not printed, with all work orders not issued, with all maps lost... It's very tough to switch the OS.

Re:Surprised this isn't regulated more closely

[smash]

As someone who was running debian in production on internet facing servers between 1999 and 2005, I'm telling you it isn't always that straightforward.

Re:Surprised this isn't regulated more closely

[smash]

Exactly. Until the linux crowd stop reinventing the wheel, commit to an API/ABI standard and actually support an upgrade path, this shit will continue to happen.

I even had one kernel upgrade swap the order of NIC detection around on a firewall, so that eth0 (inside) became eth1 (outside) and vice versa due to the internal hardware detection order changing. Nice one. Thus, after that I moved all my NIC drivers out to modules to force them to load in a particular order - but no doubt eventually even that would get broken due to soem genius deciding to scan the PCI bus in a different order or something and 2 NICs of the same chipset would get swapped.

And yes, until they get a stable driver ABI, expecting hardware OEMs to bother trying to keep up support for such a niche platform is a joke. It works both ways kids - don't expect people to write drivers for your OS if you can't provide a stable standard interface.

Re:Surprised this isn't regulated more closely

[sjames]

I have used Debian in production since '98 and played with it before that. More than once I have built distros halfway between stable and testing as needed. A 12 year old system would be Potato (or Slink if you want to be pedantic). Transitioning from a production Potato system to Squeeze would involve some re-configuration as some packages were deprecated and replaced by different but equivalent ones, but that's not an issue if for some odd reason I want to bootstrap a new install from a Potato ISO (why I wouldn't just burn a netinstall, I can't say). The target system would have to not be filled with new hardware the old install had no drivers for, but that's the case for installing XP as well.

Re:Surprised this isn't regulated more closely

[mcgrew]

It's not often I side with an AC, but he's right. You would think that after twelve years they would have had the holes closed tight as a drum, but apparently they either don't care to make their OS a quality product, or they're simply not competent (my guess would be "don't care", they did a good job with Excel so they must have a few excellent programmers).

I had the same thing a few months ago, a friend brought his agening Dell for me to fix, including its OS and driver disks. So I just installed XP on a computer a few months ago; the OS was too trashed to run. In 10 years of using Linux, various flavors, I've never seen it hosed like Windows gets.

Sadly, Windows couldn't find the drivers on the disks or or on the internet. There's no way W7 would have run on that box, even if my friend wanted to shell out a couple hundred bucks for it. So I slapped Mandriva 2005 on it. Which, BTW, is safer than a brand new out of the box copy of W7.

please stay with Linux, you are obviously too big of a dumbass to run Windows.

That was funny! But acutually, since installing Windows is such a pain in the ass and running it is so frustrating, you're right. I prefer an OS that just works. The computer should jump through the hoops, not me. I shouldn't have to hunt for drivers, especially when I have them on a CD. I shouldn't have to have someone mention in a slashdot comment how to make Windows start without entering the password, and I shouldn't have to run a program from the goddamned command line that's included with Windows to do so.

Windows just sucks, period.

Re:Surprised this isn't regulated more closely

[mcgrew]

YOu are already thrusting MS to run code (the "OS") on your computer.

No I'm not, I'm running kubuntu. Not trusting MS is one of the many reasons why.

Re:Surprised this isn't regulated more closely

[mcgrew]

Because someone having to steal a certificate first, and then get malware to spread significantly before the certificate is revoked is so much less secure than not signing your code at all?

Yes, because the user will think the door's locked when it's wide open. This makes SafeBoot worse than useless.

Oh please. Next you'll be saying we shouldn't bother to lock our doors because someone can just throw a brick through the window too, yes?

No, I'll lock my own damned door rather than trust a crackhead (microsoft) to lock it for me.

Re:Surprised this isn't regulated more closely

[mcgrew]

In just the past 4 years they've got from ALSA to Pulse, GNOME 2 to 3 and KDE 3 to 4, it was just a fucking mess! Wireless wouldn't work, Ethernet would just drop in and out, give audio up it was just a mess, and of course the Nvidia and ATI drivers were crapped on, the Intel worked but only in VESA mode. So what did I get told then? "Well you should use Red hat, its supported" yeah at $399 a year it IS supported, its also 40 times the cost of Windows over that same 10 year cycle.../facepalm/

It's true that Nvidea and ATI suck (damned MS only shit, like the "winmodems" used to be), but the rest of your rant is unadulterated bullshit. Ethernet doesn't drop out unless you're trying to network with a Win7 box; Microsoft deliberately crippled 7's network capability. Its own files say you need a copy of W7 pro on the network for it to work, so it's a wonder the Samba people got it going at all. maybe I just got lucky with the Acer notebook, but I haven't had trouble with wireless and kubuntu at all (but on its native OS, Win 7, sometimes wifi does get flaky).

How's that BlueTooth support on your Windows box? I bought a Bluetooth dongle to transfer photos from my phone, it came with with Mac and Windows install CDs, but no Linux. I figured Linux simply wasn't supported. I was wrong. I didn't have to install anything to get Bluetooth working, all I had to do was plug the dongle in and it worked. No muss, no fuss, no installation, no reboots, no problem. Quite unlike Windows, where I had to copy the disk to a thumb drive, install the drivers and program, and reboot twice.

As to Red Hat, I haven't screwed with that in a decade, because I simply fucking HATED it when I tried it. Red Hat is not a desktop OS, it's pretty much server-only, or at least looked that way 10 years ago.

Try kubuntu or Mandriva.

Re:Surprised this isn't regulated more closely

[Nyder]

So let me get this straight...you installed a TWELVE YEAR OLD OS and then are BITCHING because the company actually gave you patches instead of forcing you to upgrade like the OS you are singing the praises of? please stay with Linux, you are obviously too big of a dumbass to run Windows.

Okay, by your standards then, if all windows OS's are 12 years old, then linux is 21 years old.

Oh wait, the linux kernal has been updated during that time? Well, shit, the Windows kernal has been updated during that time.

So, exactly who is the dumbass here?

Plus this is certifcation problem, meaning as long as the computer thinks the certificate is good, then it doesn't matter if it's Windows Xp or Windows 8, it's going to accept it.

Re:Surprised this isn't regulated more closely

[hairyfeet]

And notice the guy below your post using the classic Use Distro X because it doesn't matter WHICH distro you try, or the fact that there really is only a few main branches (Debain, Red hat, and Slax) with just a little futzing (which breaks more things natch) nope, its use distro X! (TM)

For the record i invite anyone to try my experiment and I tried Ubuntu/Kubuntu/Xubuntu, PCLOS, Fedora (I know but I got told Use Distro X with Fedora enough times i did it to shut them up) Mepis, Slax, and a couple more that were niche enough I can't recall the names without looking them up which I can't be arsed and why should I? Pick your poison, the results are the same. Take ANY version from 4 years ago and upgrade to current using ONLY THE GUI as a normal user would be expected to do and THE OS WILL BE BROKEN. It might be totally broken or it might be just slightly broken but it WILL be broken!

And for those that say "Windows will do the same!" BULLSHIT, Bull fucking shit. You get TEN YEARS of support for ANY MSFT OS, home or business. You can't even get a four year old Linux to upgrade without crapping all over itself, especially wireless and sound (although for McGrew I found SiS and AMD NICs got crapped on a lot too) and I'm sure as fuck not gonna bankrupt myself giving away free lifetime support because the damned OS can't even stay current without having the devs take a massive dump all over the damned place.

So believe me friend, what you had happened to you was just the top of a VERY shitty cake. i bet you were using enterprise grade hardware, which while still getting shat upon at least gets shat upon less, try it with any of the hardware you get at your average OEM and see how it goes. They say its a drop in replacement for Windows but that is only in bizarro world, I've had less hassle taking an XP RTM and upgrading it to current, that is TWELVE YEARS of updates and service packs, then getting even a four year old Linux to update its security state without taking a crap. its just too big of a buggy unstable mess for the masses and THAT is why OEMs and shops like mine won't touch it PERIOD.

Re:Surprised this isn't regulated more closely

[tjbp]

While the guy you originally replied to doesn't seem to have had a point to make; with respect, it doesn't sound like you know what you're talking about either.

In just the past 4 years they've got from ALSA to Pulse, GNOME 2 to 3 and KDE 3 to 4, it was just a fucking mess!

Who is "they"? There simply isn't a centralised institution that maintains and coordinates every Linux distribution. If there was, your criticisms would have a legitimate platform, and the Linux vs. Windows argument might actually progress.

Honestly, I think anyone that feels the need to point out "Linux"'s position regarding the desktop (ie. is it "better" than Windows yet), should read up on open source projects and their ecosystems, or just stick to what they're familiar with.

Re:Surprised this isn't regulated more closely

[smash]

There's even a youtube video from memory of a guy doing an upgrade from 3.0 all the way through...

Re:Surprised this isn't regulated more closely

[smash]

I started with Bo for personal use, back in what... 1996. Kernel changes have screwed me over on multiple occasions. Yes, I can fix it. That's not the point. I'm not a regular end user.

Re:Surprised this isn't regulated more closely

[lsatenstein]

Why do they call the study of malware and viruses a security problem. Is it not an insecurity problem?

We should take a course in insecurity analytics.

The local university is giving a degree program in cyberxxx where xxx is IR fraud, networking IT hacking and phishing etc and criminal fraud based on cyber actions.

Re:Surprised this isn't regulated more closely

[hairyfeet]

Yep and surprise! It ran just fine. I've seen one where the guy actually went from 1.0-Win 7 but I don't know if that should count because he had to use a VM since naturally hardware from 1985 wasn't gonna run even Win98.

But the bigger problem is support. Linux support is PISS POOR unless you buy the enterprise distros which cost hundreds yearly and thus again you'd be better off with Windows. They simply have NO compelling argument to use their product, none. Software? Windows runs FOSS as well as proprietary so no gain there, all the free software that anyone cares for on Linux has a Windows port. Hardware? I've installed Win 7 just for shits and giggles on a 1.6GHz P4 with a Gb of RAM and you know what? didn't even have to download a single driver, they all "just worked" right OOTB. Support? The BEST you can get if 5 year LTS and if you'll look closer that "support" means you can just run old shit with old bugs. WinXP still will run the majority of 2012 software OOTB, and finally cost? win 7 HP is $89 OEM, if you buy the family pack it comes out to $40. that is for THREE PCs with support until 2020, there is NO distro that even comes close for that price point. in fact at $35 an hour all it takes is a single boned driver for Linux to cost me as a retailer MORE than just using windows.

In the end there just is no damned point in Linux on the desktop, none at all. In the server space the high cost of the top tier versions along with the cost of user CALs means that if you are running a dozen servers then yes, Linux makes sense. although frankly every place I've seen with Linux servers also used a WinServer to manage the desktops as Linux has yet to come up with a product that equals WinDesktop+GPOs+AD=Exchange+Sharepoint for ease of use, but on the desktop? its completely fucking POINTLESS. It does NOT save you money if your time is worth anything at all, does NOT save you time, does NOT save you effort, it just doesn't have a point which is why every major B&M and retailer avoids it. Its just not good for that purpose, period.

Re:Surprised this isn't regulated more closely

[smash]

Hmm. depends on your industry. Internet service provision, Linux is high performance, efficient and more easily secured. But so is FreeBSD, and they actually care about backwards compat and a stable ABI. But its a very small niche.

Re:Surprised this isn't regulated more closely

[hairyfeet]

I have NO problem with niche software, i have to support some engineers running Solidworks so i know all about software that is niche. If I were running an ISP? damned straight my backbone would be running BSD.

But what we are talking about is the loons that think Linux is NOT a niche OS and is instead a competitor to OSX and Windows which is frankly not only stupid but more than a little crazy. More than 90% of the progress made in Linux is made by corps for the SERVER space, they don't give a rat's ass about the desktop because unlike the FOSSies they use what works best for a given job and Windows plus a WinServer to manage them is a simple turn key solution.

So it doesn't change the fact that using just basic logic you can totally demolish their arguments in favor of a Linux desktop in minutes. Oh if you want to LYAO go over to Linux insider and read any of Noyes articles, look for anything quoted from Pogson. He's a classic FOSSie and shows the mindset of their kind, he even has "Voldemort Syndrome" where me can't type MSFT or Microsoft or MS, he MUST type "That other OS" or M$ when he is feeling brave. its funny as hell!

In the end Linux desktops has become a niche religion to these people, like waiting for their savior to float down on a fluffy cloud and deliver the true believers to the head of the table. it won't ever actually happen of course, but just as you had batshit people that thought a UFO behind a comet was gonna take them to paradise so too do you have the FOSSies thinking a CLI (which is simply a crude USER interface, the computer doesn't actually understand what is typed into bash anymore than it does poetry but to hear them tell it that is the magical way of talking "directly" to the computer when all it is is an API) has mystical powers and that "If only the world would try our crap they'd see its GREAT crap!" while ignoring the whole "crap" part.

Re:Surprised this isn't regulated more closely

[nobodie]

Dear Friends,
Why are we (and I mean you) getting sucked into an argument that has absolutely no reasonable conclusion? The reason why it can't end well for either side is that it is a failure in logic to be arguing something that has no useful application.

Now, I don't know, or appreciate, why the gggp had to vent in public about WinXP and start this folderol, but they did. The correct, and polite response would have been to ignore it. Hairyfeet, SJames all the rest of us should have just turned away and moved on. Instead it was used as a platform for everyone to get into a ridiculous and overblown war about our favorite topic: "Whose OS is the best."

Now we all know, already and ad nauseum, that this will get us nowhere. So let's try to remember this. Someone could call the gggp a troll, and whether it was an intentional troll or not they would be right: simply because their venting stated a flamewar. But, we all know that it is our responsibility to not respond to trolls, to perceive where replies would lead and to remain quiet. Especially those of us with reason.

Now, please read, hang head a second, and let's STFU

Re:Surprised this isn't regulated more closely

[mcgrew]

Sometimes in these OS war threads, I actually learn something. Any learning is a plus, whether it's someone teaching me, or me teaching someone else.

Yay for security!

Proving once and for all that Microsoft's control of the bootloader key that is used everywhere will make all future computers more secure!

Re:Yay for security!

[the_B0fh]

No, *MOTHERBOARD* manufacturers can add other keys. If you can't even boot to an alternative OS, there's no way in hell you could _CHANGE_ the damned keys, unless there was a vulnerability.

So please stop your FUD.

Re:Yay for security!

[peppepz]

GP is perfectly right, if anything. Microsoft will control by default all bootloaders, and this event shows that Microsoft are unable to maintain their chain of trust. The fact that there can be (or not - cf. ARM) an undocumented, user-unfriendly, unspecified procedure to add other people's keys doesn't change a bit of that.

Re:Yay for security!

Wrong. On the x86_64 platform you will be able to boot into BIOS and add a new root key.

That is not true for ARM "Windows 8 Ready" platforms, but seriously who cares about ARM on the desktop?

Re:Yay for security!

[peppepz]

First they came for ARM on the desktop, and I didn't speak because I didn't care...

Re:Yay for security!

[EasyTarget]

See comment by peppepz below, cludgy workarounds only available to geeks != freedom for the masses

Re:Yay for security!

[a90Tj2P7]

No, *MOTHERBOARD* manufacturers can add other keys. If you can't even boot to an alternative OS, there's no way in hell you could _CHANGE_ the damned keys, unless there was a vulnerability.

So please stop your FUD.

UEFI is the new BIOS, you don't need to boot into any alternative OS to manage it. For x86 systems, there is absolutely a means to change or add keys. This is widely-known and reported. Check your facts.

Re:Yay for security!

[tepples]

For x86 systems, there is absolutely a means to change or add keys.

So how will publishers of alternative operating systems be able to train home users in adding the key needed to install another operating system?

Re:Yay for security!

[mlts]

Right now, ARM isn't that big, but there is a lot of talk about the jump to using ARM for servers and such because of the better MIPS per watt ratio it has over x86.

For things that are relatively lightweight in CPU, such as NTP servers, DNS, DHCP, and other basic services, ARM would excel. And MS demanding that only their key would ensure that every time ARM advanced in the enterprise, Windows would come with it.

Re:Yay for security!

[betterunixthanunix]

That is not true for ARM "Windows 8 Ready" platforms, but seriously who cares about ARM on the desktop?

Maybe you are not creative enough to think of a reason to use ARM on a desktop? I can think of some:

1. Low power situations -- I have a little ARM desktop that uses only 4W of power; this would be great if I were in a situation where I had to generate my own power, e.g. in a boat, in an RV, in a shack somewhere, etc.
2. Low cost computers e.g. Raspberry Pi.

There you go, some situations where an ARM desktop might make sense. Really though, this misses the more important point: why should a computer user ever be barred from installing the software they want to install? Allowing people to install new signing keys for their computer is not at all unreasonable; it could be as simple as pressing a button and inserting a thumb drive (enough effort to make social engineering harder, but not so much effort that an untrained person would not be able to handle it).

Re:Yay for security!

The same way they train home users to install another OS?

Re:Yay for security!

[tepples]

Before UEFI Secure Boot, installing a new operating system was a matter of putting the CD in or plugging in the USB drive and rebooting. Recent versions of Ubuntu, for example, would give the option to shorten your Windows partition. But now, the problem will involve getting the new operating system's key into the UEFI environment.

Re:Yay for security!

[recoiledsnake]

No, first they came for phones and tablets, and they can barely keep them in stock with people falling over themselves and risking stampedes to buy them.

http://www.macobserver.com/tmo/article/gartner_apple_turns_its_complete_inventory_every_5_days/

But somehow it's fashionable only to slag Microsoft on here and ignore the elephant in the room with the lion's share of devices and profits.

Re:Yay for security!

[0123456]

The same way they train home users to install another OS?

Boot from CD and hit 'Install'?

Nope. Not going to work in the Glorious People's Secure Boot Dictatorship.

In fact, I presume you won't even be able to boot from CD without disabling 'Secure Boot' in the BIOS.

Re:Yay for security!

[0123456]

And MS demanding that only their key would ensure that every time ARM advanced in the enterprise, Windows would come with it.

Except ARM machines are easy to build and most of them currently run Linux. Just because Windows tablets won't boot Linux doesn't mean that companies making ARM products would want to pay a Microsoft Tax on a $20 piece of hardware.

Re:Yay for security!

[a90Tj2P7]

And how many home users don't know how to burn an ISO, create a bootable flash drive, and/or check/change their boot order?

But now, the problem will involve getting the new operating system's key into the UEFI environment.

Yes, registering with MS for $99 (which goes entirely to Verisign) is an insurmountable problem.

Re:Yay for security!

To you it seems so simple. Try it with a typical home user. To a person like you, the UEFI key stuff will not be a problem. Whereas a normal home user won't even get to that step in the first place! They'd get stuck way before reaching there.

A typical home user wouldn't even be able to create a bootable USB drive by themselves, or even realize there's such a thing. They might not even know about the most popular Desktop Linux distro to bother downloading it. For most home users they buy a PC with the OS they want to use - Windows or OS X.

Re:Yay for security!

[QuantumRiff]

Why would anyone want a laptop with a 10 hour battery, that weighs almost nothing.. your right..

I would kill for one to come out, at a decent price point, to be my new Ubuntu powered laptop.

Re:Yay for security!

[shiftless]

Yes, registering with MS for $99 (which goes entirely to Verisign) is an insurmountable problem.

Damn right it's insurmountable. You think I'm sending Verisign $99 just to use my own goddamn computer? Fuck that shit. I don't support the security certificate racket. My insecure computer is fine with me, thanks.

Re:Yay for security!

Do you understand what you're talking about? The producer of the software (ex: Fedora), get a single licensed, once. Not the user, not per user. That makes zero sense. This isn't, in any way, about end-user licensing - it's about certifying the source of software.

Re:Yay for security!

[Vanderhoth]

I can't tell are you talking about Apple or MS?

Your article was about apple turning over product, tablets and what not, but you seem to be claiming that MS sells the "lion's share of devices and profits"

Overall I'm not a fan of either, but I can see both companies get bashed quite a bit here. I think it's mostly fan-boys making wild claims about how good their preferred company is while ignoring what drawbacks come with each, which leads the community to be generally cynical and disdainful of either.

I'm not a fan of MS being able to lock their operating system in to a machine. As the GP lead to, maybe they're not locking into everything at the moment, but this will make it difficult to install any other OS on a machine bought from a brick and mortar store and in the future this lock-in could be expanded to all hardware. Basically killing anyone's abilities to change to a Linux based OS if that's what they desire.

Re:Yay for security!

[peppepz]

Trust me, I don't like either of them. But I'm more pissed about MS locking the PC platform because, well, to be honest it was the only truly open generic-purpose computer platform remaining. Microcomputers are no more. UNIX workstations are history. The Mac is going the way of the iPhone, and it never was open from an hardware point of view. We're risking to live in a world were the most open computing platform is... the chromebook, yuck! And only as long as those things keep having the freedom switch under their keyboards...

Re:Yay for security!

Yes, registering with MS for $99 (which goes entirely to Verisign) is an insurmountable problem.

They shouldn't have to do that because UEFI shouldn't exist to begin with.

Re:Yay for security!

[jawtheshark]

Like this? I have one, works ok... Not extatic about it, but does the job. Was damn cheap too. I have the smaller model, the bigger model promises 10 hours. My initial review. Haven't played much with it. It lies by my bed for the occasional sysadmin tasks when I get alerts.

Re:Yay for security!

Why would anyone want a laptop with a 10 hour battery, that weighs almost nothing.. your right..

I would kill for one to come out, at a decent price point, to be my new Ubuntu powered laptop.

Ok then. Your target is Steve Ballmer. Your weapon? A chaise lounge. You'll be paid handsomely with 3 new Ubuntu ARM powered laptops that have 10 hours of battery life. Do we have a deal? ;)

Re:Yay for security!

[recoiledsnake]

I don't see PCs being completely replaced by Windows RT tablets or ARM desktops even in the medium term future. If it's a Windows x86 device, you can install whatever you want in it, if you are willing to configure UEFI on your PC.

Re:Yay for security!

[sjames]

Who said our concerns are limited to the desktop?

Re:Yay for security!

At no point was it stated in the GP that all the secure keys would be controlled by Microsoft (except for arm, of course, but we'll just hand wave past that and pretend that's just an isolated incidence not to be analyzed), just that Microsoft's key would be used just about everywhere, a de-facto standard key, if you will. No FUD here, it is 100% truth, including the implication that one cannot hold this action from Microsoft up as being, first and foremost, a security measure. The intent of Microsoft is to reduce the likelihood of competing operating systems from running on future hardware. If the collective you keep trying to say "nuh uh, security is the reason for these actions", then I'll point back to this incident as showing how ineffectual it is as a security method, given that Microsoft is either too incompetent or untrustworthy in guarding their keys.

Re:Yay for security!

[vux984]

. But now, the problem will involve getting the new operating system's key into the UEFI environment.

Maybe that's why red hat paid the $99 bucks to microsoft to get signed so that red hat users could use the windows key that is already in the UEFI environment, without having to get everyone to install new keys...

There was even an article on slashdot about it a few days ago.

Re:Yay for security!

[peppepz]

But the trend is clear.
Moreover, the option to disable the so-called "secure boot" was only made mandatory at the last minute, AFTER the protests had sparkled against Microsoft. Their position during 2011 was "hey, we're not locking you out of your PCs, it's the OEMs that will do it". Without the public outrage, we would probably already have Microsoft-locked PCs now. I'll bet they'll try again at the next occasion, after the population has got used to having less freedom.

Re:Yay for security!

[gmhowell]

First they came for ARM on the desktop, and I didn't speak because I didn't care...

You got that right.

Re:Yay for security!

[VortexCortex]

No, first they came for phones and tablets...

But somehow it's fashionable only to slag Microsoft on here and ignore the elephant in the room with the lion's share of devices and profits.

Well, two things:
0. I guess that depends on who "they" refers to, now doesn't it? Or are you saying that Microsoft IS Apple?
1. Who really gives a crap who came for what first? Focus on the solution. What matters is if we can use this SNAFU to keep them from taking more stuff now.

Re:Yay for security!

[shiftless]

I don't give a shit what it's about.

Not using it.

Re:Yay for security!

[recoiledsnake]

>But the trend is clear....after the population has got used to having less freedom.

The trend was clear from when Apple implemented Microsoft' Trusted Computing (Palladium). There was a huge outcry in the earlier part of last decade because it was from MS(just like the bitchfest recently). But when it was from Apple, everyone loved it and lapped it up, and Apple can't keep their iProducts in stock because the population loves having less freedom, apparently. See locked bootloaders on many Android phones, tablets, Kindle Fire, Nook etc. etc.

Why should MS be singled out and hobbled with restrictions when Apple is the one that's dominating ARM device/tablet sales? Apple is the elephant in the room that no ones wants to talk about in the discussion. And I can understand why, it completely undermines their rants against MS. In other discussions about Windows 8, the overall gist of the comments is that it will completely crash and burn.

Re:Yay for security!

[recoiledsnake]

>0. I guess that depends on who "they" refers to, now doesn't it? Or are you saying that Microsoft IS Apple?

Well, I guess they're mostly similar. But I meant Apple, but it implies the same general "they" as in the "they came first" meme.

>1. Who really gives a crap who came for what first?

Apparently, my Parent comment(now GGP) "+5 Insighful" did by saying "First they came for ARM on the desktop...". So I was trying to correct him/her.

> Focus on the solution. What matters is if we can use this SNAFU to keep them from taking more stuff now.

I don't see you or anyone calling for similar restrictions on Apple.Restrictions only on MS will only strengthen Apple's hand with the way things are going. Are you really looking at tablet sales, PC sales, phones sales trends? Do you really want that? Maybe you do or don't really care about Apple and it's even more locked down products, because I usually see that taking down and hating on MS seems to be more preferable to actually increasing software "freedom", at least in this community.

Re:Yay for security!

[bingoUV]

I don't see you or anyone calling for similar restrictions on Apple

The subject line of the Slashdot story would help you there. You would notice, this story is about "Microsoft", NOT "Apple". You would "see" plenty of people calling for various things, including restrictions, on Apple if you go to apple.slashdot.org, or read stories about Apple in other sections of Slashdot.

You are welcome.

Nice Headline

[a90Tj2P7]

"Microsoft Certificate Was Used To Sign Flame Malware" != "Counterfeit Microsoft Certificate Was Used To Sign Flame Malware"

Re:Nice Headline

[K.+S.+Kyosuke]

What exactly do you mean by "counterfeit"? If the signing key was signed by the genuine Microsoft key, how does that objectively differ from all the other signing keys?

Re:Nice Headline

[joeflies]

It was not a counterfeit microsoft certificate. It was a legitimate microsoft certificate from Terminal Server Licnensing Service, but used for purposes other than it was intended.

Re:Nice Headline

[lemonfresh33]

When they took Robert schiffreen to court in the early 80s they tried to prove he'd counterfieted passwords. If memory serves, they failed because copying! = copying.

Re:Nice Headline

[lemonfresh33]

Oops... typo... Counterfeiting! =copying.

Re:Nice Headline

[Psykechan]

The certs issues from the Terminal Server Licensing Service were intended to be used only for connections and not code signing. This is Microsoft's blunder. They weren't actually licensing malicious certificates but they were giving people tools to issue what appeared to be valid certs coming from MS.

The fixes are going to be changing TSLS so that its certs can no longer be used to sign code and revoking the intermediate CA certs that are affected.

http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx

Re:Nice Headline

[shentino]

The TSLS was a confused deputy.

Re:Nice Headline

[MightyYar]

I don't know exactly how MS's certs work, but doesn't this mean that they can tell exactly which cert did the signing of the malware? That might be an interesting piece of information, even if it just leads to a dead end.

Re:Nice Headline

It probably leads to a certain government. Which is why this "interesting piece of information" will never be published.

Re:Nice Headline

[Zinho]

... this "interesting piece of information" will never be published.

I agree with the sentiment, but if the cert is in the virus code then it's available to everyone who has a copy. Stuxnet is fairly widely distributed, and I'm sure every black hat organization that wants it has a copy. The U.S. Government may be able to strong-arm Kapersky and Norton, but I doubt they have much leverage over the Cult of the Dead Cow (or whoever the big player is this week). The U.S. Government may be able to strong arm Rupert Murdoch and the other modern-day Charles Foster Kanes, but there are plenty of bloggers looking to make a name for themselves, never mind all the foreign journalists for agencies like Al Jazeera.

As much as anyone in power may want to suppress this information, it's got literally the same problem as DRM on movie disks - the virus is intentionally broadcasting itself to the world, and needs to have the cert attached to work properly. If it can be analyzed to find incriminating information, and there is anyone motivated and skilled enough to do the analysis, I am sure they will have access to both the virus itself and the means to publish.

Re:Nice Headline

[ThatsNotPudding]

It was a legitimate microsoft certificate from Terminal Server Licnensing Service, but used for purposes other than it was intended.

And that purpose was Plausible Deniability.

Remember the Kernel Backdoor

I think it was an SHS exploit or something in the Windows Kernel. Steve Gibson stepped through the Kernel and concluded that this vulnerability was an intentionally placed backdoor, perhaps by a Microsoft employee. It's in one of his earlier podcasts. Lots of people thought maybe he was crazy at the time, but in retrospect ... maybe not so much.

Re:Remember the Kernel Backdoor

[JustNiz]

Nice to know that even now, after Microsoft have been bitten so many times, it still hasn't occurred to them to do security auditing of at least the kernel API before they release it as a global product.
And this is the company and product most businesses choose to trust? wow. and will be the authority for the trustable bootloader key.. again, wow.

Re:Remember the Kernel Backdoor

[ChumpusRex2003]

I don't think Gibson found a kernel backdoor.

He did should very loudly about an intentional backdoor in the windows metafile image handler, which would start executing native code when a callback command was included in the script. He made a large number of spurious arguments as to why this was clearly intentional, as the vuln could only be triggered in very exceptional circumstances.

He was completely wrong about almost everything he said. The vuln was trivial to trigger, except when it was the last instruction in the script (which was the only way Gibson was testing). From the fact that he had great difficulty triggering it, requiring multiple parameters to be set to nonsense values, he concluded that this was clearly a deliberate backdoor.

It later came out from a number of MS insiders (incl. Mark Russinovich) that metafiles were a feature of Win 3, and were intended to be fully-trusted OS components (for rapid image drawing, and therefore had privileged access to a variety of internal system calls - notably the ability to set callbacks). The functionality was greatly increased in Win95 and later, with the original x86 hand-written assembly being ported directly, rather than rewritten. In the mists of time, the assumption of full-trust got lost.

Re:Remember the Kernel Backdoor

Yea but Steve Gibson also said raw sockets in XP would destroy the internet, claimed SYN cookies as his own invention, then there was SpinRite which destroyed data. Taking Gibson's word on anything security related is, in my opinion, at best a huge mistake.

Re:Remember the Kernel Backdoor

[trifish]

Since when is sheer unsourced FUD posted by Anonymous Coward starting with "I think that" moderated +5?

Re:Remember the Kernel Backdoor

In the mists of time, the assumption of full-trust got lost.

How is this anything other than a Total WTF? You're phrasing it like it's a kind of mistake anyone could make, but it's utterly inadmissible, *especially* from a "professional" and "market leading" software vendor.

Re:Remember the Kernel Backdoor

[Mia'cova]

The people working on features like this very rarely wrote the original code. If someone handed you 50 or 100k lines of assembly code with little/no documentation and needed you to make a few fixes or add a feature, it's pretty easy to miss some of those assumptions. And it's especially true now since virtually no one writes assembly code. New products are written in modern languages like c# or java specifically for these kinds of things. A lot of language features were actually developed to manage problems like trust in an enforceable way. There are going to be issues like this cropping up for years to come but it's certainly a situation which is getting a lot better each generation as more and more components are re-engineered with modern security.

How/why are iranians running windows anyways?

I thought they were under all kinds of "tough" sanctions? I guess not too tough for Microsoft to make a quick buck selling them their shitty OS!

Re:How/why are iranians running windows anyways?

[Jeng]

Pffft, so you think they are not technologically advanced enough to download a pirated copy?

Summary of TFA . . .

[InvisibleClergy]

Attackers broke an old form of security which has been relatively trivially patched. This is actually good for Microsoft, because (ideally) now they will review all of their old authorized keys and determine which would be easier to generate. So it's not like Microsoft included their Private Key in plaintext in some code somewhere, or anything like that.

Re:Summary of TFA . . .

[the_B0fh]

They've stored their Private Key in plain text _somewhere_ even if that somewhere was an encrypted container that's locked away in Bill Gates' basement... :)

UEFI

And this is how they plan to monopolize Secure Boot (UEFI) and get rid of Linux? why should I trust that ONE KEY that microsoft plans to install on all motherboards?

JP

Re:UEFI

[KingMotley]

First of all the Secure Boot in UEFI wasn't mandated by Microsoft, it a feature they they have decided to implement. A feature any OS is free to implement, including linux.
Secondly, motherboard manufacturers are able to add (or pre-add) any key (or none at all) if they choose.
Thirdly, there is nothing keeping users from being able to install their own key (or additional keys) through the UEFI boot process, assuming the UEFI manufacturer provides one.

Really, stop spreading your FUD.

Re:UEFI

[afidel]

You are an idiot, the Windows 8 Ready program requires manufacturers to make adding additional secure boot keys available to the end user. Secure Boot isn't some conspiracy to get rid of Linux, it's an attempt to try to get rid of physical access == owned. Paranoid Linux lovers have turned it into a conspiracy because MS == evil in their eyes, whereas the real evils (Chinese government for one) are given a pass even though the attempt is to get rid of things like rootkits installed at customs.

Re:UEFI

[betterunixthanunix]

First of all the Secure Boot in UEFI wasn't mandated by Microsoft

Except when it comes to Windows 8 on ARM systems. Then Microsoft does mandate secure boot.

A feature any OS is free to implement, including linux.

1. Linux is not an operating system, it is a kernel.
2. What difference does it make if other OSes support secure boot, if you cannot install those OSes as a result of secure boot being used?

Secondly, motherboard manufacturers are able to add (or pre-add) any key (or none at all) if they choose.

This is a cop out; unless there is a simple way for users to install their own keys, this is something that will further restrict how people can use their computers. You can jailbreak your iPad if you want, but the majority of people have trouble doing so.

Thirdly, there is nothing keeping users from being able to install their own key (or additional keys) through the UEFI boot process, assuming the UEFI manufacturer provides one.

...which is something Microsoft pressures them not to do on ARM devices:

https://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/

Really, stop spreading your FUD.

What FUD? We said years ago that iPad style lock-down is coming to desktops and laptops; now we have moved a step closer. There is a lot of money to be made from attacking computer users' freedom, and now that Apple has pulled in billions of dollars doing so, everyone else wants to join the party.

Re:UEFI

[MickyTheIdiot]

But is Linux only able to join the party is it plays in the game Microsoft created? Do you have to be a multi-million dollar company to play? Can I write my own OS if I wanted to and have it boot "securely" on hardware that I own.

None of this seems answered right now. I know that the idiots in Washington DC think you have to be a company to make software, but when you implement that into the hardware it's total bullshit.

Re:UEFI

[MickyTheIdiot]

Also, it's a great way to get an OS labeled "insecure" by knownothings.

Re:UEFI

[a90Tj2P7]

This is a cop out; unless there is a simple way for users to install their own keys, this is something that will further restrict how people can use their computers.

There is. UEFI isn't new, nor is secure boot. The only thing new is MS wanting to make it . There's a process for adding keys. Or the vendor can just pay $99 to Verisign like Fedora's doing. Even if you think that isn't "simple" enough, the feature can just be disabled on x86 machines.

Re:UEFI

[0123456]

This is not a troll, saying that MS is trying to eliminate Linux through secure boot is a troll....

Yes. I'm sure that Microsoft never even considered that requiring a Microsoft key to boot your PC (or having to jump through hoops to disable 'Windows Boot' rather than just install from a CD) would harm the competition.

Re:UEFI

[a90Tj2P7]

The only thing new is MS wanting to make it a prerequisite for Win 8.*

Re:UEFI

[Culture20]

the Windows 8 Ready program requires manufacturers to make adding additional secure boot keys available to the end user. Secure Boot isn't some conspiracy to get rid of Linux, it's an attempt to try to get rid of physical access == owned.

Except it does nothing about that. Physical access still == owned unless you lock the bios/uefi and physically lock the machine. Otherwise the attacker can either take out the HDD or boot up a Linux live CD or other HDD by adding a new key. That's no different from the current state of affairs where we change the boot order, lock down the bios and lock the machine. That means the purpose for Secure Boot has to be something else... and easy money is on market dominance (even just joe-user home market dominance).

Re:UEFI

[betterunixthanunix]

the vendor can just pay $99

The fact that this is phrased in terms of "vendors" should indicate that this is an attack on user freedom. A fee to install your signing key creates obstacles for anyone who wants to fork a GNU/Linux distribution (happens all the time), anyone who wants to create their own distribution, and anyone who wants to try "Linux from Scratch" (and I know of a few people who have done so). It also creates an obstacle for anyone who wants to write their own kernel or OS; if Linus Torvalds had to pay $99, the Linux kernel itself may never have been created.

Even if you think that isn't "simple" enough

The fact that money is involved makes it a major barrier, and counts very strongly against the process being "simple" (it requires a payment to be processed, a third party to the new key, etc. -- you cannot even test a system without the fee; compare with TLS, where you can generate a usable test certificate without paying anyone).

the feature can just be disabled on x86 machines.

Only if the motherboard manufacturer allows it, and this is not allowed on ARM machines that will run Windows 8. Considering the inroads ARM has made into personal computing, I do not think it is unfair to say that the decisions made today about ARM computers will shape the reality of personal computing over the next decade. We are already seeing this happening; app stores are the norm, people are talking about trendy apps, etc.

Re:UEFI

why should I trust that ONE KEY that microsoft...

JP

Recently one of my friends, a computer wizard, paid me a visit. As we were talking I mentioned that I had recently installed Windows on my PC, I told him how happy I was with this operating system and showed him the Windows CD. Too my astonishment and distress he threw it into my micro-wave oven and turned it on. I was upset because the CD had become precious to me, but he said: 'Do not worry, it is unharmed.' After a few minutes he took the CD out, gave it to me and said: 'Take a close look at it.' To my surprise the CD was quite cold and it seemed to have become thicker and heavier than before. At first I could not see anything, but on the inner edge of the central hole I saw an inscription, in lines finer than anything I have ever seen before. The inscription shone piercingly bright, and yet remote, as if out of a great depth:

4F6E 6520 4F53 2074 6F20 7275 6C65 2074 6865 6D20 616C 6C2C 204F 6E65 204F 5320 746F
2066 696E 6420 7468 656D 2C0D 0A4F 6E65 204F 5320 746F 2062 7269 6E67 2074 6865 6D20
616C 6C20 616E 6420 696E 2074 6865 2064 6172 6B6E 6573 7320 6269 6E64 2074 6865 6D

'I cannot read the fiery letters,' I said.
'No,' he said, 'but I can. The letters are Hex, of an ancient mode, but the language is that of Microsoft, which I shall not utter here. But in common English this is what it says:'

        One OS to rule them all, One OS to find them,
        One OS to bring them all and in the darkness bind them.

One OS to rule them all

Re:UEFI

[KingMotley]

Linux is not an operating system, it is a kernel.

Actually, it is an operating system. It by itself is just a kernel, granted, but an operating system kernel is itself an operating system. I realize you were just trying to point out a triviality, but you are incorrect in your terminology. You may not use the term in that fashion, and you may prefer to call linux the kernel where as {flavor of the month} as the operating system so that you can try and draw a line to show the difference to people that aren't familiar with it, but that doesn't make it incorrect to label it as such. The linux kernel meets every requirement necessary to be called an operating system itself. If you can find a definition of Operating System by ANY relevant source, please provide it, because it meets every definition I've ever heard of.

What difference does it make if other OSes support secure boot, if you cannot install those OSes as a result of secure boot being used?

Then disable secure boot.For example, hold down shift while you turn on the computer to enter the UEFI. Select the "Security" section, then uncheck "secure boot enabled". Click OK. Reboot. Boy, that was hard.

This is a cop out; unless there is a simple way for users to install their own keys, this is something that will further restrict how people can use their computers. You can jailbreak your iPad if you want, but the majority of people have trouble doing so.
There is a simple way for users to install their own keys, or disable secure boot entirely if they want. And selecting a menu option is not quite the same thing as download this program from this site, connect your iDevice, sideband load this, hit these 20 keys while you reboot, then make sure you check the version of iOS you are running because this backdoor doesn't work in the versions x,y,z.

...which is something Microsoft pressures them not to do on ARM devices:

https://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/

And you can't load an alternate OS on my refrigerator, my drier either, or my TV. While it's technically possible I suppose, people aren't demanding it, nor would I suspect a large amount of users want to buy an ARM based tablet with windows 8 and want to dual boot to another OS. There are plenty of devices out there that can run the OS of your choice.

Re:UEFI

But is Linux only able to join the party is it plays in the game Microsoft created?

You mean linux is only able to join the party if it plays the game that the consortium of hardware and software companies came up with to fix all the legacy problems with the older BIOSes? Why yes, linux is only able to currently join the party if it plays the game that we now call BIOS. Now it will have to play the UEFI game if it wants to run on UEFI enabled motherboards, or NOT. Feel free to stay with BIOS based motherboards until the year 2900 if you want.

Can I write my own OS if I wanted to and have it boot "securely" on hardware that I own.

Yes, just disable secure boot, or install your own key. Cryptography keys aren't hard to create. Anyone who is capable of writing an OS is capable of generating their own signing key, it's not rocket surgery.

Re:UEFI

What competition? Linux has a desktop usage share of less than 2% according to Wikipedia. And that's with the benefit of an unencumbered platform.

Re:UEFI

[KingMotley]

That's because it IS "insecure".

Re:UEFI

[shiftless]

Secure Boot isn't some conspiracy to get rid of Linux, it's an attempt to try to get rid of physical access == owned.

Thanks Microsoft.... but no thanks. A shotgun (plus Truecrypt) is enough to protect my data.

Re:UEFI

Linux is not an operating system, it is a kernel.

You stupid fucking cocksucker! 99.9% of readers here already know that. One single word can have more than one definition. If I post a comment on Slashdot stating that I run Linux on my home PC, which I would never do because I don't lick Stallman's shit-encrusted asshole, they know Linux is a kernel and they know I'm probably using it in conjunction with GNU software. God Damn, why can't people like you just go fuck yourself and not annoy the rest of humanity?

Re:UEFI

[betterunixthanunix]

Then disable secure boot.For example, hold down shift while you turn on the computer to enter the UEFI. Select the "Security" section, then uncheck "secure boot enabled". Click OK. Reboot. Boy, that was hard.

Except that you are not allowed to do so on ARM systems that run Windows 8, as per Microsoft's demands.

Re:UEFI

[ThatsNotPudding]

Even if you think that isn't "simple" enough, the feature can just be disabled on x86 machines.

Until NSA/MS Black Ops releases the exploits targeting non-secure boot machines...

Re:UEFI

Except that you are not allowed to do so on ARM systems that run Windows 8, as per Microsoft's demands.

No, If an OEM wants free advertising and wants to put a "made for windows" logo on their device, then.. and only then, does Microsoft mandate what to do.

Kind of like if you want to use Android on your phone/tablet without google then you're free to do so but if you want to use Google's logos on your phone then you have to have Google's services installed by default.

So what you should do is buy one that doesn't come with Windows. Or is your new conspiracy theory that each and every single ARM system will only come with Microsoft Windows?

Find some new FUD .. you're really grasping at straws. Although being an anti-ms troll, this is probably you're favorite pastime, in which case - continue with your trolling, but please make it entertaining to read.

Re:UEFI

[0ld_d0g]

Why? Couldn't you just encrypt the HDD?

Re:UEFI

[MickyTheIdiot]

Sorry? As I read it only bios manufacturers can install those keys.

If I can install my own keys I have no problem with it, but if I can't I do.

Re:UEFI

[Culture20]

Why? Couldn't you just encrypt the HDD?

Not if it's a public workstation expected to be rebooted by end-users and subject to power outages. They're the most likely computers to have people get physical access.

Re:UEFI

[zeugma-amp]

Except it does nothing about that. Physical access still == owned unless you lock the bios/uefi and physically lock the machine. Otherwise the attacker can either take out the HDD or boot up a Linux live CD or other HDD by adding a new key. That's no different from the current state of affairs where we change the boot order, lock down the bios and lock the machine. That means the purpose for Secure Boot has to be something else... and easy money is on market dominance (even just joe-user home market dominance).

It's also going to put an end to people being able to use Linux "Live" CDs as emergency recovery tools. I know of several instances where the only way to get data of a crapped out windows install was to boot off a live disk, then copy stuff to USB. Looks like going forward, if your windows install craps out, as it is wont to do more so than any other system I've seen, you're SOL unless you have backups.

That would be a good thing, but people are generally too stupid to have current backups.

Re:UEFI

[Culture20]

It's also going to put an end to people being able to use Linux "Live" CDs as emergency recovery tools.

MS would rather you use WinPE for recovery anyway. Of course I haven't checked into Secure Boot enough to know what it would do to WinPE or BartPE CDs.

Re:UEFI

[afidel]

Of course you can, that's the entire point of secure boot, to allow TPM and EUFI to confirm that the installed OS is in fact the one listed in the TPM keystore!

Re:UEFI

[afidel]

Not if you're traveling to China. This is a real problem that Microsoft customers (and MS themselves!) are facing, state sponsored industrial espionage is a real threat and MS is working on trying to fix the situation.

Re:UEFI

[Culture20]

Why? Couldn't you just encrypt the HDD?

Not if it's a public workstation expected to be rebooted by end-users and subject to power outages

Of course you can, that's the entire point of secure boot, to allow TPM and EUFI to confirm that the installed OS is in fact the one listed in the TPM keystore!

Then how does random joe user decrypt the HDD on the public workstation? Do the admins have to walk around typing in passwords all day, or does the EUFI store the encryption passphrase?

Re:UEFI

[afidel]

It's stored in the TPM hardware store.

Re:UEFI

Then disable secure boot.For example, hold down shift while you turn on the computer to enter the UEFI. Select the "Security" section, then uncheck "secure boot enabled". Click OK. Reboot. Boy, that was hard.

Except that you are not allowed to do so on ARM systems that run Windows 8, as per Microsoft's demands.

If I understand this process correctly, will I be able to (on the desktop) remove Microsofts key from being trusted?

Re:UEFI

[KingMotley]

Yes, if that is what you want.

Re:UEFI

That's because it IS "insecure".

In relation to what? Windows?

Re:UEFI

[KingMotley]

http://www.redhat.com/about/news/archive/2012/6/uefi-secure-boot

Microsoft is in on it

They were totally in on it, and only issuing this advisory to cover their asses.

future of it all? bleak...

[darkob]

I wonder how long will it take for the government(s) to decide they in fact own every computer (or at least it's processing capabilities) and issue some sort of mandatory backdoor. As it seems antivirus companies might be first compelled to "go along" with the new paradigm, by probably "not detecting" presence of some (government?!) software (that we oldfashionedly still call "malware", whereas these pieces of code are highly focused towards very specific target, so majority of users/comp. owners should have no problems whatsoever with the sinister part of said software). Indeed, grim future may even be "you should let that piece of software alone, if you have nothing to hide". Weather or not this story has anything to do with the _NSAKEY.

Re:future of it all? bleak...

[betterunixthanunix]

I wonder how long will it take for the government(s) to decide they in fact own every computer (or at least it's processing capabilities) and issue some sort of mandatory backdoor.

What, you think this sort of thing has not already happened? Take a look at telecom equipment some time...

That's gotta hurt the bottomline...

I mean, if an America-hating country is paranoid enough they'll see this as Microsoft cooporating with american interests in order to bring a country down.

Bye Windows, hello home-rolled Dictatubuntu. "Sandbox-testing" just got a whole new meaning ^^

Re:That's gotta hurt the bottomline...

[couchslug]

Why would THEY be "paranoid" when business and government in the US are one?

"Dictabuntu" does have a nice ring to it.

Simple

Remove Microsoft from your list of trusted CAs, because their certs can't be trusted.

This one might ...

... (arguably) be the first 0day in Flame. Let's see what is to come.

fake certificates, or sold certificates?

[Edzilla2000]

Considering that microsoft sold the possibility to sign ssl certificates for any domain to the late Tunisian government, why wouldn't they sell the same thing to the makers of that virus, if it really comes from a government?

source: http://arabcrunch.com/2011/09/wikileaks-microsoft-accused-in-helping-bin-ali-monitor-tunisians-corruption-stifling-open-source.html

Re:fake certificates, or sold certificates?

[0ld_d0g]

I think you misunderstood the article. They did not give the government a possibility to "sign ssl certificates for any domain" - whatever that means. (private keys are used to sign things, and public certificates are issued to ensure that the private key used earlier was valid - as long as you trust the CA). Microsoft has no such power. But IE, like all current browsers maintains a simple list of trust worthy CAs and they allowed the Tunisian government's CA to be included in the list of 'safe' CAs. This by itself is not a problem - its only a problem because the government is repressive and could use this power to do much evil. This means that in theory the Tunisian government could conduct man in the middle attacks and the end user would not notice (only if using IE). I believe they were safe on other browsers. Ofcource but they could repackage firefox with their own CA and do the same to firefox users.

Re:fake certificates, or sold certificates?

[Mia'cova]

A correction.. IE uses the windows certificate store. It doesn't hold it's own set of certs. I know firefox used to have its own set of certs. I'm not sure if that's still true. I'm pretty sure chrome also uses the windows certificate store. In most cases, using the windows cert store is the right thing to do. I can understand why mozilla would want to manage some of this themselves. If they need to roll their own cert store for their cross-platform support, it might just be easier to do that than keep up with all the differences between platforms.

But the main idea is that if you trust the windows cert store, when things like this happen, the cert will be invalidated for everything, not just IE, or Safari, or whatever. Companies can also then add their own certs, regect some, etc in a central database. It's annoying for an IT dept when individual apps do their own thing and don't respect the platform's settings.

Really?

[Corson]

Flamer is out in the wild since cca. 2007, with a MS signed certificate, and the only IT security organization that decides to bring it to public attention is a Russian company, and the first removal tool is from a Romanian company. Isn't this a bit strange? Isn't it more likely that this NA-designed spyware targetting the Middle East was released with the tacit agreement of Western security companies and it only became known because the Russians, for some reason, decided they would not play the game? Microsoft being unaware for thw last few years that hundreds of computers are infected with a 20 MB spyware pack bearing a security certifice of their own? Come on...

Re:Really?

[marcosdumay]

Flame spreads slowly*, and thus is quite hard to detect.

* Maybe "slowly" is an understatement. The virus seems to spread only when ordered to.

Re:Really?

[knorthern+knight]

> Microsoft being unaware for thw last few years that hundreds of computers are
> infected with a 20 MB spyware pack bearing a security certifice of their own? Come on...

Don't laugh. Microsoft Excel 97 had an "Easter Egg" flight simulator game hidden in the code. http://eeggs.com/items/718.html

Re:why does the craigslist m4m section have so man

ok i guess that explanes it

Gorgeous

What a delicious example of plausible deniability. If you don't believe them, you are paranoid. If you believe them, you have to willingly ignore Microsoft's rapacious, lying history. That it goes beyond what one might expect of incompetence, way off into Scott Adams' accounts of fictitious and roll on the ground laughing galactic screwups, implies that it was planned this way. But of course nobody would willingly do that, it's not even worth commenting about. Even the NSA is not that dumb. Or that smart. Or.. whatever, they are invisible and don't exist except in Hollywod. And when issuing secure linux operating systems.

Massive vulnerability is so massive, it's stupid. Massive corporation is so massive, it is holy. I believe the reason America greatly sucks right now is a fundamental cognitive dissonance. A flaw in the character that worked well in the 19th century but started to fail in the 20th and totally is epically failing in the 21st. It is clearly visible here. It's that Microsoft's greatest core competence, here beautifully demonstrated, is this totally crazy, smirking, malicious stupidity, it is so evil it is good, so hated that it is loved, a fundamental quantum impossibility that comes off as sexy panache on the TV sitcoms, that here simultaneously emphasizes rattle-trap monopoly while self-defusing any possibility of reprisal, and 3, 2, 1 inevitably will lead to greater profitability by emphasizing security in a related announcement.

It is just so hugely mind-bogglingly idiotic or evil you immediately censor yourself from pursuing it while gasping for oxygen. In summary, the country is shot because people love this wacky, profitable, bulletproof juggernaut that just comes back for more. It's the new America. It is how we got into the Iraq war. Never mind that I predicted a similar "wacky reason is invented so we can go clean up and get the oil" war about 5-10 years before it happened. It is really a problem, this megacorp supervulnerable smarmy I'm rubber you're glue, we are pals of the government which is why we can give absolutely brain exploding explanations and everybody has to shut up and eat it. Bruce come out and explain it to those dumb asses! Arrrggghhh!!

Secure systems

[fa2k]

It has recently become obvious that spy agencies can get any keys/certificates they need. An obvious way to spread spy software would be to send a poisoned system update, or an update for Adobe, etc. In the end, we have to trust the people who provide software systems, or write everything from scratch (and possibly build the hardware). Is there a usable system that limits the extent to which software creators can take control? Would be nice if there was a system that wasn't constantly tied to an update repository, and the code was reviewed, yet it was still usable.

Today's Lesson

[Adrian+Lopez]

So... what did we learn today?

1. Signed code is not safe code.
2. An insecure operating system that only runs signed code is still an insecure operating system.

Re:Today's Lesson

Yeah. If only it was like in the Real World(tm), because then if anything was signed, you'd surely be safe....wait...damn!

Do the right thing, MS.

[detritus.]

Cancel your support contracts with the federal government NOW.

New users only?

[infochuck]

It's so strange that about the only posts one sees here anymore are from users with ID#s in the 40,xxx,xxx block.

Re:New users only?

[couchslug]

Never trust anyone whose ID begins with a 4.

Re:New users only?

That is the post number. Look next to the username for the user id number.

Re:New users only?

[infochuck]

Boy am I dumb! It's obviously been far too long since I hung out here.

If you support Verisign you support Norton

[tepples]

Yes, registering with MS for $99 (which goes entirely to Verisign) is an insurmountable problem.

If each end user has to do it, then yes, it is insurmountable in practice. It's especially hard for people who disagree with the principles of Norton software, which is sold by the same company that bought Verisign's certificate business.

Re:If you support Verisign you support Norton

[a90Tj2P7]

If each end user has to do it, then yes, it is insurmountable in practice.

Where did you even get that idea??? We're talking about the producers of the software registering a key, once. It has nothing to do with the users.

Re:If you support Verisign you support Norton

[tepples]

We're talking about the producers of the software registering a key, once.

In that case, are you claiming that it is desirable that each operating system distributor must feed the Norton-Verisign racket?

Re:If you support Verisign you support Norton

[a90Tj2P7]

They don't. They can publish their own keys, they can operate their own key servers. Licensing through Verisign is just one of many options.

Not buying what Microsoft is selling

[WaffleMonster]

Why are there two certificates with the exact same label? It takes a special kind of idiot.

"Microsoft Enforced Licensing Intermediate PCA"

Why does a certificate valid from 2002 to 2010 matter in 2012.. oh yea thats right code signing certificates are based on the timestamp of the code and so when you compromise a signing cert 100 years from now and take that impossibly difficult extra step of forging a valid timestamp it will still be valid. All code signing certs should have an indefinate expiration because effectivly thats what they really are. Any other label is grossly misleading.

The security week and MS article talks about forging keys using what I assume are insecure for signature algorithms.. I assume they mean MD5..but hey look at this:

The signature algorithm for Microsoft Enforced Licensing Registration Authority CA (SHA1) is sha1 this is currently what EVERYONE is using. Was this cert also compromised in the same way? Why is it here?

Re:Not buying what Microsoft is selling

[Mia'cova]

Actually, it sounds like it was an MS-controlled server issuing a cert for a remote desktop scenario which was inadvertently issuing certificates that also had code-signing privileges. No one cracked the signing process or forged anything from scratch. The attackers just found something that hadn't been locked down properly. Of course, it's still a rather huge fuck up. They were essentially handing over the keys. The point is though, it' was a human-error fuck up that allowed this to happen, not a broken security model that needs replacing. Oups.

would it be naive?

[Pirulo]

1. - make bloated spy software virus for government
2. - sign it
3. - it's no longer a virus
4. - profit
5. - disclaimer will follow about stollen cert

Out of tree drivers

[tepples]

Red Hat's approach, as the other Slashdot story states, is to have a first stage bootloader load and verify GRUB, and then GRUB loads and verifies Linux, and then Linux loads and verifies modules. This works if you run an official kernel with all official modules but not, as that story's featured article mentions, with "out of tree drivers". If you need to compile a kernel module from source to support hardware whose driver isn't yet in the mainline kernel, then as I understand it, you can't load such a module into a securely booted kernel without paying the $99 VeriNorton tax.

Re:Out of tree drivers

[vux984]

If you need to compile a kernel module from source... ...then you probably aren't a linux newbie playing with a live CD or using a windows installer to install linux... :) ...to support hardware whose driver isn't yet in the mainline kernel, then as I understand it, you can't load such a module into a securely booted kernel without paying the $99 VeriNorton tax.

Fair enough, but in that event you can optionally
a) disable secure boot
b) leave secure boot enabled, self sign the drivers, and install the certificate you are using into uefi yourself.
c) leave secure boot enabled, and pay the $99 to sign it against the already installed microsoft certificate.

At least in the x86 ecosystem.

debian.

[leuk_he]

Did you actualy try this, particulary if you ran some 12 year old applications?

Re:debian.

[sjames]

The premise was a fresh install followed immediately by an upgrade, so legacy apps don't enter the picture. Naturally, depricated apps would be an issue for upgrading an ancient production server, but there's little excuse for going that long without upgrading in that case.

Re:why does the craigslist m4m section have so man

[Nyder]

disgusting old homos

So other homo's that are into disgusting things can hook up?

My question is, why do you browse that section?

how does?

[hesaigo999ca]

How does one obtain a legitimate windows update certificate? are they not well maintained and secured?
Is this an inside job???

Microsoft Security is a joke

I would guess - since 1975 all passwords hardcoded into their systems were billgates