Slashdot Mirror

← Back to Stories (view on slashdot.org)

Richard Stallman Speaks About UEFI

Posted by Soulskill on from the i-wonder-what-he'll-say dept.

An anonymous reader writes "Despite weaknesses in the Linux-hostile 'secure boot' mechanism, both Fedora and Ubuntu decided to facilitate it, by essentially adopting two different approaches. Richard Stallman has finally spoken out on this subject. He notes that 'if the user doesn't control the keys, then it's a kind of shackle, and that would be true no matter what system it is.' He says, 'Microsoft demands that ARM computers sold for Windows 8 be set up so that the user cannot change the keys; in other words, turn it into restricted boot.' Stallman adds that 'this is not a security feature. This is abuse of the users. I think it ought to be illegal.'"

4 of 549 comments (clear)

  1. The Right To Read by andrew3 · · Score: 5, Informative

    Richard's story, The Right To Read, has already sort of predicted this move.

    But not only were [free operating systems] illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.

    Despite what people say about Restricted Boot, it opens up the world of computers to a whole new set of attacks... by megacorporations like Microsoft.

  2. Re:Crippled Hardware by Altanar · · Score: 5, Informative

    Don't like it? Go into your BIOS and turn it off. The specification mandates that it have a disable option. How hard is it to disable? Take a look at this image: http://imgur.com/QW1Pp

  3. Re:Shackles by Kjella · · Score: 5, Informative

    It is even worse than that - if it is wont be possible to change the certificate on a machine and that certificate get compromized, then it means there is no security anymore neither... The device is now junk after maybe one month of owning it. You need a new device regardless. And dont tell me you have not heard of the certificates for BlueRay and so on being compromised...

    BluRay players have a private key to decrypt that can be compromised. Secure Boot only has a public key to verify so it can't be compromised, there's no secret.

    The alternative - Microsoft can remotely update the certificate, but that also mean any remote attacker who break the key can change it...

    No. If Microsoft was to be hacked and their signing key compromised - a pretty heavy feat of hacking in itself, they'd pull out their root key and revoke that key then create and sign a new signing key. This is PKI 101, you always have a root key for situations like this. Of course if their root key was compromised they're fucked, but that one is deep in a vault deep in the bowels of Microsoft and the only place it'd come out would be in a secure facility to sign a new signing key.

    --
    Live today, because you never know what tomorrow brings
  4. Re:Crippled Hardware by Mousit · · Score: 5, Informative

    Don't like it? Go into your BIOS and turn it off. The specification mandates that it have a disable option..

    No, no the specification does NOT mandate that it have a disable option. The specification simply does not prohibit providing such an option (for the moment at least). The motherboard manufacturer and/or BIOS makers are completely free to not provide a disable option if they so desire.

    Whether the (lack of) option becomes common or not is another thing entirely, of course.