Slashdot Mirror
OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot
An anonymous reader writes "OpenBSD founder Theo de Raadt has slammed Red Hat and Canonical for the way they have reacted to Microsoft's introduction of 'secure' boot along with Windows 8, describing both companies as wanting to be the new Microsoft."
We have been hearing various people who should know better that "Redhat is the next MIcrosoft" and variations on that theme now for at least a decade. Guess Ubuntu should take it as a sign that they have 'made it' that the same is now being said of them.
Not saying I agree with either of their solution to the Kobayashi Maru (otherwise known as Secure Boot) problem, but calling them 'traitors' is a bit much. Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.
Democrat delenda est
I love OpenBSD, and run it on my firewall at home, but anyone who's followed De Raadt over the years has to be 100% expecting this.
Including the over-the-top language.
'Sensible' is a curse word.
Responding to a query from iTWire about what OpenBSD, widely recognised as the most security-conscious UNIX, would be doing to cope with "secure" boot, De Raadt said: "We have no plans. I don't know what we'll do. We'll watch the disaster and hope that someone with enough power sees sense."
Is not wanting to "be the new Microsoft" worth being unprepared for a "disaster?"
Isn't Mr. De Raadt known for being a bit... shall we say, "pointed" on these sorts of things?
-- Stu
/. ID under 2,000. I feel old now.
Ok, Theo, let's hear your solution then. I, for one, would really love the ability to secure boot a Linux system, knowing that every component is still exactly as it was when I last checked it and nobody has sneakily installed malware that secretly emails spam to all my friends and my financial details to carding sites. Trusted hardware root and signed executables are good things. So tell us then how we are supposed to get them? You obviously do not believe that we should be using Microsoft's key to sign the bootloader. What should we use? Keep in mind that while you have no difficulty installing your own keys in the BIOS, to a typical user (you know, those poor shmucks who get infected most often) that's deep voodoo. Also keep in mind that while Microsoft has the pull to get its key loaded by default into all the TPM chips manufactured, Ubuntu does not. Neither does BSD.
This whole Microsoft / Secure Boot situation is outrageous, it should never be allowed to be implemented, linux distro's should not be having to get anything signed by Microsoft. Hopefully some judge someday will see sense and kill it and also force Microsoft to carry positive mentions of other OS's in their advertisements in a similar fashion as the Apple / Samsung tablet ruling.
Let's change the entire interface to be more like Win7
Since when did Windows 7 have overlay scroll bars, global menus, and the title bar buttons on the left?
else is wrong.
Sadly, MS has the power to take control of our computers away from us --and with secureboot they're doing exactly that. This is a direct attack on personal computing and the freedoms of the end-user to control the software on their computer.
RMS and Theo De Raadt are both right on this --but neither one of them has the influence needed to avert this attack, so it doesn't matter.
The era of personal, general-purpose computing is over.
I wouldn't be surprised if the mass production of pre-installed systems will be helped with some sort of system that installs "enterprise/OEM" keys into the OS or the BIOS so fully automated installs can take place.
Now where have we seen this done before and what happened because of it?. I doubt this whole "secure boot" thing will last very long before software pirates will have found a way around it again. Once that happens, so will the malware authors and the wohle exercise will be useless again, just like all the other copy protection and anti malware schemes implemented by MicroSoft in their desktop operating systems.
I was promised a flying car. Where is my flying car?
You ship the TPM with a per-TPM public key in it, and a USB dongle with a certificate on it signed with the per-TPM secret key for the per-TPM public key, and then you require the presence of the dongle to intermediate the installation of the OS of your choice onto the machine. You allow installation of other public keys signed with the private key, and you have another public key and separate private key to permit per-device self-signing of whatever code you want, but only on a per-device basis.
Then you have your BIOS/EFI/UEFI/Coreboot/u-boot refuse to do anything other than go into "install mode" if the dongle is inserted so that the dongle will be removed after installation for normal operation so that it can't be abused by malware.
After that, all vendors are responsible for securing their own OS past the point of it being loaded into memory.
He has courage. You have to admire him for being so forthright, right or wrong. It takes balls to act as he does in today's "politically correct society" (what a bunch of hooey) - which in my opinion, is just being as honest as he can despite profanities and what-not.
I state that, because there's truly only 1 thing I personally respect in debates: When people are shown incorrect with facts versus their points. Undeniable reputably backed hard facts that are on the subject at hand, only.
Otherwise, things like ad hominem attacks are nothing but rubbish crap, period.
Thus, when Mr. DeRaadt's undeniably shown to be full of utter crap on statements he's made (we all make mistakes mind you) and moreso, consistently? Then his detractors have actually made a solid point.
When Mr. DeRaadt hasn't been utterly disproven beyond a doubt on his ideas, despite his "let it all hang out" attitude (which to a degree I respect a great deal for the reasons stated above but admittedly, other times not), he has made HIS point, disproving his detractors.
It's as simple as that.
In other words, what I have noted is that when the media or other groups attack a person on illogical grounds, ala ad hominem attacks? They fear them (and often for quite selfish and often nefarious reasons that aren't for the good of others, only themselves. Just an observation from over 1/2 a century of my life now.)
You're replying to a not so cleverly disguised false flag waving anti-Linux troll. Just thought you'd like to know.
The soylentnews experiment has been a dismal failure.
From what I understand, Windows 8 will run on most contemporary hardware. I installed it on a 3.8GHz P4 system and it ran fine. But it looks like if you want Microsoft Certification, then you need a BIOS that contains the UEFI code. But what if a manufacturer doesn't care about Microsoft Certification and elects to install Windows 8 on a PC with a UEFI BIOS? Then Linux or other operating systems should have no problems dual booting with Windows 8. I conclude that market conditions may cause some PC OEM's to eschew this BIOS extension altogether. Especially if it annoys their potential customer base.
Oh, yeah! Wise guy, huh? Woob woob woob woob! Nyuk! Nyuk!
Given that Apple is actively adding Secure Boot Chain to their own devices, I wouldn't place a bet on them as the safe hardware platform here. Normally I buy used Lenovo laptops to put Linux on them. If Microsoft's Secure Boot starts to be more of an issue, I'd probabaly switch to a Linux hardware rebranding company like Emperor Linux to make sure I didn't end up with a problem system.
Also canonical never made secret in being a wannabe apple, not exactly microsoft...
Strange: I'm running Ubuntu (Xubuntu actually), but not on Canonical hardware.
Microsoft is quickly losing influence; I don't think their secure boot stuff is going to be that big of a deal. I would say they have a chance with Windows Server, but 2012 has Metro, so I think they'll be declining on all sides now. They don't seem to care about what people actually want; they just want to push some new thing.
Personally, I never liked Windows, but with Metro even on Server, I'll be seriously pushing Linux at work.
It is official; Netcraft now confirms: *BSD is dying
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming close on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a cockeyed miracle could save *BSD from its fate at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
Theo, ranting, is why he got kicked off the NetBSD project. Theo, ranting, is why OpenBSD's drivers for Broadcom chipsets stink. (Look up how the original author tried to resolve the licensing problems of sticking his GPL drivers in an OpenBSD kernel and was ignored, then screamed at by Theo for making the issue public.) Theo, ranting, is why OpenBSD doesn't properly handle booting from software RAID. Theo, ranting, is why the OpenBSD installer works like the UNIX crap I learned to loath back in 1985 and can't store the state of what you've already selected or go back, you just have to start over from scratch. Theo, ranting, is why OpenSSH has no built-in support for chroot cages. Theo, ranting, is why OpenBSD has no virtualization server capability. Theo, ranting, is why OpenSSH still stores both host keys and by default, user private keys in clear text with no expiration, and has no plans to fix this. Theo, ranting, is why the "compatiblity chart" is a list of chipsets that don't match the actual chipsets published by the manufacturer, and usually are from chipsets at least 4 years old.
Theo, ranting, usually means you're doing something right for your actual client base rather than for his ivory tower. There's a reason OpenBSD is used only by fanboys who run it on "hobby" systems and don't get any work done. And yes, I've dealt with the crap for years: I *wrote* the first SunOS ports of SSH-1, SSH-2, and OpenSSH. (Theo's fan club did not write SSH: they ported Tatu's previously GPL work into OpenSSH, and screwed up the license. Surprisingly little of the actual codebase is due to OpenBSD hosted development.)
whats to stop manufacturers from not including secure boot in their hardware. No way there isn't a big market for some Chinese manufacturer to jump onto this and have the Linux world use their hardware.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
http://www.trollaxor.com/2010/06/why-i-left-openbsd.html
Copy and paste from this retard.
Even better, just have a fucking pushbutton on the side of the box.
You want to install your own bootloader? Great, it will try to write its key - and you hit the little button to commit that. A virus sneaks onto your machine? Good luck reaching out of the CPU to toggle a physical contact.
Yes, doing it to iOS devices with their ARM chip. There was nothing from Apple even remotely hinting of doing so with their x86 hardware. Nice FUD, though.
Remember when we used to make fun of the sort of people who would insist that we should say "free software" and not "open source?" I think by this point in time, we can finally acknowledge that they were right: open source is about software development, not respecting or protecting user freedom.
Palm trees and 8
I'm more surprised that bios replacement isn't already more prominent. It's not all that complicated to reverse engineer hardware initialization, it's just that it isn't necessary. Hardware will always be rootable. And software will always be able to implement emulation and man in the middle on such hardware. It will just require more active participation from the hardware owner, no virus or software installation will be able root the system without you actively participating.
but the more I got involved in developing for OpenBSD the more I was dissuaded from doing so. Part of the issue was this focus on security.
Wait, the thing that bothered you about OpenBSD development is that it was focused on security? Friend, I'm gonna say you should have done a little more research before deciding to join that project.
"First they came for the slanderers and i said nothing."
Nobody can tell me that people like yourself, that act the meek worm online with innuendo and implications with no backing is now playing psychiatric pro (which you clearly are not) is not the worst offender of all via implication and innuendo possible
Theo i see you are your cordial self as always
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Why is this a Microsoft story, as opposed to a BSD story (somehow, OpenBSD tag doesn't translate into BSD) or a Linux story (since Red Hat & Canonical are involved)? Why doesn't /. automatically tag any OpenBSD stories BSD, and Red Hat & Canonical story Linux?
With "Secure" Boot, hardware must no longer allow BIOS to be freely flashed, it must only be replaced with a new cryptographically signed BIOS image. That must be true for both the main one and the option ROMs. Otherwise the "secure" boot mechanism would be meaningless. (Not that it has much meaning anyway...)
In this situation, it's more pragmatic to require distributors of free software to also distribute the keys needed by the user to run modified versions of the software. A requirement that the authors of GPLv3, with foresight, chose to adopt, with no lack of criticism for being too "extremist".
Apple has had something similar to this for so long they still only sold PowerPCs back then.
idk... so I'm asking. Say I purchase hw with Windows 8 preinstalled... and I don't want to fuck with any of this BIOS key bullshit, nor run Windows 8, nor any Windows on bare iron (because I am, in fact, sane), but only free software: can I simply reflash the OEM placed SecureBoot with another non-SecureBoot BIOS? What of coreboot (LinuxBIOS)? Can I still use that? If so, why doesn't Canonical, RedHat and the BSDs make something along these lines as an option in their plans? Who forced the top Linux distros to whiddle down options to a single non-choice option?
The Admin and the Engineer
There is nothing (apart from cost and practicality) stopping other vendors/distros/organisations from negotiating with hardware manufacturers to have their keys pre-installed, but consider this. Microsoft's action are restraining trade. Microsoft is using their dominant market market position to have hardware manufacturers ship with UEFI enabled by default, with microsoft keys enabled by default. They are saying to the manufacturers, if you want to label your hardware windows complaint you must do X, where X affects other vendors by making their product more difficult to use. Microsoft doesn't need to pay for this 'service' from the manufacturers, the manufacturers are forced to comply in oder to sell their products (because of window's dominant market share). Isn't this is already anti-trust, but against the manufacturers. Other vendors who don't have the market share have two choices:
Both options sound like anti-trust to me. In my mind it would be better for manufacturers to ship with NO keys, and if you want to install an OS, then the OS installation instructions just have to include the extra step explaining what needs to be done. Again, for Joe Schmo who buys his whole PC retail, this doesn't affect him, because some IT guy in a backroom does the installation. The machine comes with one key, for whatever OS Joe wants installed. Practically speaking, this means that everyone will preinstall windows whether or not the customer wants it, same as now. Nothing would stop larger or smaller *nix distro users from installing the approriate keys. Microsoft's advantage would be that the retail industry does work for them for free, same as now. I'm not saying it's right. I'm saying it's not a catastrophe. Microsoft pays for this advantage in a way, through marketing, lobbying, etc. Cananonical and red hat could negotiate similar advantages directly for example with dell/hp/best-buy ... it's probably not worth their while.
2) pre installation of all available certs by the manufaturer (now guess for how many reasons manufacturers aren't going to auto install keys for all available linux/HURD/bsd distros, yep there are many).
It will be difficult to boot the Hurd on these machines? Think of the poor 4 people this will inconvenience...
1) They can only install other OSes on x86 machines. On ARM they cannot. There will be no rooting your Win 8 phone/tablet.
2) As they point out, making non-technical people boot into the bios and disable secure boot is a significant barrier to allowing them to install other OSes.
Hell, it wouldn't cost the manufacturers much. For *years* BIOS's had flags to booting in a 9X compatible way, then XP. SATA drive controllers still tend to have an option to emulate IDE, mostly for the benefit of older OS's.
So why not just have a checkbox in the BIOS "All generic boot key", disabled by default, and have a general key for Linux/BSD. Easy enough for most who will use Linux to still make the system bootable, and it allows the system to be locked down by default.
So, uhm, what else can this bootloader load? Say Windows but modified in a malicious way? Certainly it would seem that GRUB should be able to do that, if nothing else?
I must say I dont really see this making much sense from any kind of security perspective.
[My probably first reply to an AC here.]
All right. I'd mod you insightful if you were no AC. But you are a dreamer. Microsoft isn't really interested in Security. If they were, they'd already thrown in the towel and had de-registered themselves as company.
The intention is to effectively close the market to competitors. Think, and think hard: Which percentage of the computer-buying population would actually even consider fiddling with some boot options to make anything else but Windows running? As of today, you can throw in a Ubuntu-CD and just give it a try (actually, many did, and most revert to Windows). As of tomorrow, you simply can't do this this simply.
Oh, sorry, wrong example here: Ubuntu == Canonical.
As Ex-Sysadmin I can tell you that you'd be fired for the next malware problem, any next malware problem, if only you dared to remove the Secure-Boot-Lock. Because pointy-haired bosses do not think that thinking is required for their jobs.
The point of a dongle is physical separation. A push button would let someone left alone with the computer for a few seconds install malware that looks sufficiently like the default system that there is little likelihood of the user noticing.
So for example, you could have a nominally secure OS, like Chrome OS, where it's hard to get a key logger onto it because of the way the TPM is used, and you could install a fake version of the OS that has a built in keylogger which looks and acts sufficiently like the OS that's supposed to be there that the user can't tell the difference.
If you go the push button route, you need to combine it with a mandatory wait interval (on Chrome OS, it's 5 minutes, if you switch the developer switch), on the theory that someone who is not trusted won't be left alone with a machine for longer than 5 minutes, and then this is combined with a user safety screen which beeps and makes you explicitly use the keyboard to get around it and./or wait 30 seconds on each boot to notify you that the push button has been used.
This still isn't great, since if you are left for 5 minutes + 8 seconds with an already booted device, you can get it compromised and rebooted in about 5 minutes and 17 seconds. The binary option, using the dongle, closes that race window entirely.
I think Redhat's and Canonical's decisions are their own counterargument. As paradoxical as that sounds.
The argument against UEFI is that it gives an advantage to Microsoft, putting them in control of licensing.
The counter argument is that UEFI has provisions for running other OS, that don't rely on Microsoft.
Redhat and Canoncial, Microsoft competitors, chose to contract licensing from Microsoft.
Whatever UEFI provisions are*, they are bad enough that paying Microsoft is the better alternative, so it is still the case that UEFI favors Microsoft.
* UEFI provision are.
1.- User's can disable Secure Boot.
2.- Users can sign their own OS at their expense.
3.- Users can install keys provided by distributions.
3.- Distributions can make deals with OEMs to include their keys.
But... the future refused to change.
It's a plausible argument. I'm not sure it's really strong enough for legal proof, though. I'm not a lawyer, so I couldn't really say further than that.
"Cananonical and red hat could negotiate similar advantages directly for example with dell/hp/best-buy ... it's probably not worth their while."
Well, for us (RH) it really isn't, because that's not really what we do - we don't sell consumer OSes in retail. Canonical has more ambition in that direction. They do actually have a plan to self-sign for OEM preloads of Ubuntu; only the 'normal' downloadable Ubuntu images, intended for end-user installation onto systems that shipped with Windows, will be signed with Microsoft's key. If you actually go buy a system with Ubuntu pre-installed from a Canonical-approved reseller, so their plan goes, you'll get a copy of Ubuntu that's pre-signed with a Canonical key.
If you have the skillset it is easy. It does take work though even if you do have that skillset. The number one motivation to do work is necessity, the second being interest.