I do ponder exactly what legal loophole did B&N managed to use to get out of that contract and be able to use the information in court.
As I understand it, they signed an NDA concerning the contents of the meeting where they were supposed to receive the information on which patents they were allegedly infringing... but that information never came out in the meeting. Later, when they received the packet of information detailing which patents they were allegedly infringing, that particular data was not covered by the NDA they signed referencing the meeting, because it did not occur at that meeting.
At least, that's what I recall of the previous discussion of "how they got away with violating the NDA" - Put simply, they didn't.
How is it not a valid test? If the concept is to provide a secure boot chain, and it can be fooled into thinking it has a secure boot chain when it does not, then the concept has been proven to be flawed. This entire line of reasoning is flawed, and "Secure Boot" is broken before it is even a product.
Sorry I had to bludgeon it through, which you took as ad hominem...
"Now get back to programming Silverlight on your Zune." "Sorry if your 'critical thinking' selectively ignores words." "Sorry if that disturbs your little Microsoft-is-betterer worldview."
Sorry, how was I supposed to take those statements? Seemed fairly aggressive to me. Nevertheless, I attempted to respond to the factual data instead of your childish prodding. I finally got fed up with your immature and inflamatory style, and responded to your (repeated) attacks on me (suggesting I am pro-Microsoft) "with an irrelevant Windows vs Linux debate."
You may be educated, but your attitude sucks; it will color any debate you have on any subject, because you have an annoying habit of making the person on the other side of the table want to stand up and punch you in the face instead of paying attention to the facts you are presenting. That is what makes you a punk.
Windows 8 *can* boot from an unsecured boot chain by design. Windows 8 does not require secure booting.
Yes, it can boot from an unsecured boot chain, but does it think it's sitting on a secure boot chain? Or does it know that it's not on a secure boot chain, and shut back down (or decide not to boot) if it's configured to do so?
My main point is that regardless of what the safe manufacturer says, it would be no fun to try to restore a backup from a puddle of plastic in the bottom of the tape safe - backups should be stored offsite.
I know, it's not reasonable to think that a tape would actually turn into a puddle of molten plastic - but it does get the point across to the customer.
You have an annoying habit of attacking the arguer, rather than the argument. My "little Microsoft-is-betterer worldview" is non-existant - I may be an MCP, but I run Linux on the majority of my machines, and often recognize that Apple systems are better for certain things (such as "many, if not most, multimedia applications"). In public. You know, like when someone asks me "What's the best, Mac or Windows?" - I tend to respond with "What do you want to do with your computer?"
It's probably easier for me to admit that none of the major operating systems are perfect, since I have run in non-homogeneous environments for the past 7 or 8 years. It's also probably helpful to my Apple acceptance that my brother-in-law is an Apple tech.
I still think Windows is a pretty good desktop OS, despite Microsoft's attempts to drive off their users with the latest iterations of "everything's a tablet". Ubuntu has also done its fair share of that, as have Fedora and any other Gnome-based distributions, lately. KDE had its turn for major broken-ness and user hatred, looks like this year its Gnome's turn. XFCE is a decent substitute, although I'm thinking I'll stick with Gnome2 just a bit longer (because I can, and I'm resistant to change - besides, I have more important things to do than learn a new method just because something is newer (read "not necessarily better")).
Linux shines on servers. Desktop OS uptake may be mediocre, but servers are overwhelmingly Linux-based, and have been for a really long time.
If I didn't think you were such a small-minded punk for being unable to resist your little ad hominem jabs, I'd thank you for pointing out to me that I missed those two little words that are so very germane to the discussion: "Apple-supplied". I managed to miss them twice, in my righteous indignation.
RAID is no substitute for backups. Yes, RAID5 will handle a single disk crashing.... but if the building burns down, "where did my datas go?" if more than one drive fails simultaneously... if a drive dies while you're still resyncing your array from the first disk crash... if you don't notice you have a failed drive because you didn't install the disk-monitoring tools...
You can mirror all you want to, and if the data never leaves the room, it's not backed up.
I guess a potential solution using only RAID would be to use a hot-swap hardware mirroring solution, and swap out the drive(s) every night. Sure is an awful lot of spare drives, though. I mean, you don't want to lose data because you didn't notice it was gone for a week or two, right? Never mind the huge amount of time/productivity lost resyncing constantly - and I hope that machine doesn't need to be operating at peak efficiency, ever.
So we need the array of disks we start with (and any hot spares), plus enough cold spares to have enough backups available that we can restore a file that the CEO's nephew deleted 3 weeks ago to make room for his pirated music collection... if we rotate the same 4 drives Mondays, Tuesdays, Wednesdays, and Thursdays, so that we have a 1-week timer on short-term backups... let's assume Friday night is a weekly backup that we keep separate for 4 weeks, so we need "fresh" disks on Fridays, and we keep a month's worth of those... cool, we can get away with only 10 drives for a 2-disk mirror with no hot spares, and our "cold spare RAID-based backup system". At $100 per consumer-grade 1TB hard drive, we would only be spending $1000 to have (arguably) 30 days' worth of backups of 1TB of production server.
Or, we could spend that same amount of money on 4 1TB drives (RAID1 with 1 hot spare and 1 cold spare (on hand so you don't have to worry about a drive failure while you wait for your next package from NewEgg), a cheapo tape drive, and enough tapes to be able to restore data from 30 months ago, instead of 30 days.
Enterprise-level staff never even thinks about it - tapes, like everything else, are cheaper in bulk, and they're not running multi-million(or billion)-dollar industries with consumer-grade equipment, so there's no price comparison whatsoever.
Unfortunately, the penny-savers are also experts at the blame game, and have a disaster recovery plan of "point the finger at the IT guy".
Make sure you document every discussion of backup solutions with the beancounters, in case something actually happens before you convince them not to be dumb.
If you want your company to get better backups, run a simulation of what would happen if something failed.
Quickest and easiest way to do this in a dramatic way?
During a chat with the CEO, reach over and shut down a random server. Ask him where all the datas went, and how the company is going to operate without whatever data was on that server for however long it would take to recreate the data. Might get you fired, but might also make him reconsider the backup project he just axed because it would require him to put off that new car purchase for 6 weeks.
Just taking the devil's advocate position, here, but it sounds as if you have enough data that it might be worthwhile to move your data storage into the cloud, and access it from there - let the remote site's IT guys worry about the backups.
Offsite backups are what a lot of companies don't do. They might back up to tape, but the tapes are stored in a pile next to the server. And they never test them.
Agreed. One of the many phrases in my litany on customers backing up is "Yes, that safe is fireproof. For paper. Plastic melts at a much lower temperature than paper burns." Not only do not enough companies run backups on a regular and timely basis, but too many of the ones that do run backups don't see the need for having the storage media offsite.
Anecdotal evidence: I personally just installed ubuntu using software raid 1 on a desktop system - it added a single step to the installation process, and required me to use the "alternate install" cd instead of the standard live cd. The server install already has the required files.
Easy-peasy, although raid isn't a substitute for backups.
Are you trying to say that Microsoft doesn't have a track record of doing anything and everything they can to restrain competing operating systems?
Or are you trying to say that "considering a scenario wherein a monopoly desktop operating system vendor who has been caught several times doing unorthodox and illegal things to keep their desktop operating system monopoly safe would do anything they could to prevent their competition from being able to compete" makes me paranoid?
Also, you shouldn't have said "yet" if you were planning to add "... this time". And you can complain about my grammar nazism all you want to, but doing the same thing in a program or shell script would yield unexpected results - that's why syntax is so important.
There's a list here of a couple dozen free (as in beer and as in speech) games for Linux, many of which are really good.
This list is just the "very best" games, regardless of whether they are free or paid, open or closed source.
One of my favorite things about that site is the ability to filter by open/closed source, free/paid, and whether or not the game has been awarded a "Pengu's Choice". There are some really solid games out there, and many of the best ones run on Linux.
Now name popular games for linux not made by ID Software or ported by Loki.
From the wine app database, that I linked in my previous post:
Final Fantasy XI. World of Warcraft. StarCraft I and II. Guild Wars. Team Fortress 2. Left 4 Dead. Counter-Strike: Source. Warcraft III. Half-Life 2.
These are from the list of "Platinum" support, which states as its description "Applications which install and run flawlessly on an out-of-the-box Wine installation". You can go here for a list of 1,568 items listed as supported under wine with a rating of "Platinum", in the category "Games".
The "Gold" and "Silver" lists are rather extensive, as well, and the descriptions for those ratings lead me to believe those ratings will still be playable.
As an aside, you can play a perfect (and legal) reproduction of Quake 3 Arena at http://www.quakelive.com - in your browser, OS-agnostic, and at high frame rates. My machine pushes 125 fps at 1920x1080 (full screen) with all graphics options maxed and a dozen people in the arena, so it doesn't seem at all crippled by running in a browser plug-in.
Ad hominem attacks are a dead giveaway for someone who hasn't got the critical thinking skills or factual basis to support their arguments.
That being said, I think you missed the operative sentence from the official apple development website's statement, there: "Developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X."
In other words, Java may or may not make it to the next version of Mac OS - Oracle-supplied or not.
The information you're overlooking is that this is not an attack on UEFI, or the UEFI Secure Boot process.
The trick here is getting Windows to think it booted from a secure boot chain, and so not set off any alarms... even though it's already rooted by the time it thinks to check.
He probably should have waited until after W8 was released, now they have a chance to patch out all his hard work before anyone gets a chance to make use of it.
Microsoft is already aware of the contents of the entire paper, because he gave it to them.
Yup, nothing quite like booting up already rooted - which is what I believe this exploit does.
If I understand it properly, it allows the system to boot in an insecure way, then pulls a hand-wavy Jedi mind trick, telling Windows 8's SecureBoot that everything is fine, nothing's unsecure, all is well... the trick being that SecureBoot believes it.
this is just someone changing a bios setting and writing a bootloader
.. that is only 14k, and can be loaded via a CD or USB storage device. While disabling password authentication.
Admittedly, the part where physical access to the box is required makes it a bit more difficult to implement, but the fact remains that this is (allegedly) a method of defeating Windows 8's SecureBoot - remote delivery mechanisms can come later. Early versions will require breaking and entering, or social engineering, but this is nothing new to the dedicated IT criminal.
Also, I never stated this had anything to do with breaking UEFI. Nor did the bootkit's author.
Uhh UEFI literally has no MBR, it doesn't exist. So please explain to me how this exploit functions when the MBR doesn't exist? I think he is booting his drives in the wrong mode, which is to say legacy MBR mode instead of ADAPI/UEFI mode.
I'll explain it quite simply: It's not a UEFI exploit. The trick here is nothing to do with UEFI.
The trick is simply the ability to boot Windows 8 with SecureBoot enabled, and have it happily boot, thinking everything is hunky-dory, without actually having UEFI or its Secure Boot enabled (or even present).
Got it? This exploit fools the Windows 8 security feature called SecureBoot into thinking that it has booted from a secure boot chain, when in reality it not only hasn't done that, but is already rooted.
As I have stated over and over again in this thread, this hack doesn't have anything to do with UEFI, and it's not supposed to.
The target is Windows 8's SecureBoot technology. This hack allows one to boot from an unsecured boot chain, while telling SecureBoot "everything is ok, we're happilly booting from UEFI with a secure boot chain" - and SecureBoot believes it.
Car analogy: You push the button on the remote to lock the car doors, watch the lights flash and hear the alarm system "beep" to indicate that the doors are locked, and yet none of the locks are actually engaged.
Slashdot Mirror
I do ponder exactly what legal loophole did B&N managed to use to get out of that contract and be able to use the information in court.
As I understand it, they signed an NDA concerning the contents of the meeting where they were supposed to receive the information on which patents they were allegedly infringing... but that information never came out in the meeting. Later, when they received the packet of information detailing which patents they were allegedly infringing, that particular data was not covered by the NDA they signed referencing the meeting, because it did not occur at that meeting.
At least, that's what I recall of the previous discussion of "how they got away with violating the NDA" - Put simply, they didn't.
How is it not a valid test? If the concept is to provide a secure boot chain, and it can be fooled into thinking it has a secure boot chain when it does not, then the concept has been proven to be flawed. This entire line of reasoning is flawed, and "Secure Boot" is broken before it is even a product.
Sorry I had to bludgeon it through, which you took as ad hominem...
"Now get back to programming Silverlight on your Zune."
"Sorry if your 'critical thinking' selectively ignores words."
"Sorry if that disturbs your little Microsoft-is-betterer worldview."
Sorry, how was I supposed to take those statements? Seemed fairly aggressive to me. Nevertheless, I attempted to respond to the factual data instead of your childish prodding. I finally got fed up with your immature and inflamatory style, and responded to your (repeated) attacks on me (suggesting I am pro-Microsoft) "with an irrelevant Windows vs Linux debate."
You may be educated, but your attitude sucks; it will color any debate you have on any subject, because you have an annoying habit of making the person on the other side of the table want to stand up and punch you in the face instead of paying attention to the facts you are presenting. That is what makes you a punk.
Windows 8 *can* boot from an unsecured boot chain by design. Windows 8 does not require secure booting.
Yes, it can boot from an unsecured boot chain, but does it think it's sitting on a secure boot chain? Or does it know that it's not on a secure boot chain, and shut back down (or decide not to boot) if it's configured to do so?
My main point is that regardless of what the safe manufacturer says, it would be no fun to try to restore a backup from a puddle of plastic in the bottom of the tape safe - backups should be stored offsite.
I know, it's not reasonable to think that a tape would actually turn into a puddle of molten plastic - but it does get the point across to the customer.
You have an annoying habit of attacking the arguer, rather than the argument. My "little Microsoft-is-betterer worldview" is non-existant - I may be an MCP, but I run Linux on the majority of my machines, and often recognize that Apple systems are better for certain things (such as "many, if not most, multimedia applications"). In public. You know, like when someone asks me "What's the best, Mac or Windows?" - I tend to respond with "What do you want to do with your computer?"
It's probably easier for me to admit that none of the major operating systems are perfect, since I have run in non-homogeneous environments for the past 7 or 8 years. It's also probably helpful to my Apple acceptance that my brother-in-law is an Apple tech.
I still think Windows is a pretty good desktop OS, despite Microsoft's attempts to drive off their users with the latest iterations of "everything's a tablet". Ubuntu has also done its fair share of that, as have Fedora and any other Gnome-based distributions, lately. KDE had its turn for major broken-ness and user hatred, looks like this year its Gnome's turn. XFCE is a decent substitute, although I'm thinking I'll stick with Gnome2 just a bit longer (because I can, and I'm resistant to change - besides, I have more important things to do than learn a new method just because something is newer (read "not necessarily better")).
Linux shines on servers. Desktop OS uptake may be mediocre, but servers are overwhelmingly Linux-based, and have been for a really long time.
If I didn't think you were such a small-minded punk for being unable to resist your little ad hominem jabs, I'd thank you for pointing out to me that I missed those two little words that are so very germane to the discussion: "Apple-supplied". I managed to miss them twice, in my righteous indignation.
RAID is no substitute for backups. Yes, RAID5 will handle a single disk crashing. ... but if the building burns down, "where did my datas go?"
if more than one drive fails simultaneously...
if a drive dies while you're still resyncing your array from the first disk crash...
if you don't notice you have a failed drive because you didn't install the disk-monitoring tools...
You can mirror all you want to, and if the data never leaves the room, it's not backed up.
I guess a potential solution using only RAID would be to use a hot-swap hardware mirroring solution, and swap out the drive(s) every night. Sure is an awful lot of spare drives, though. I mean, you don't want to lose data because you didn't notice it was gone for a week or two, right?
Never mind the huge amount of time/productivity lost resyncing constantly - and I hope that machine doesn't need to be operating at peak efficiency, ever.
So we need the array of disks we start with (and any hot spares), plus enough cold spares to have enough backups available that we can restore a file that the CEO's nephew deleted 3 weeks ago to make room for his pirated music collection... if we rotate the same 4 drives Mondays, Tuesdays, Wednesdays, and Thursdays, so that we have a 1-week timer on short-term backups... let's assume Friday night is a weekly backup that we keep separate for 4 weeks, so we need "fresh" disks on Fridays, and we keep a month's worth of those... cool, we can get away with only 10 drives for a 2-disk mirror with no hot spares, and our "cold spare RAID-based backup system". At $100 per consumer-grade 1TB hard drive, we would only be spending $1000 to have (arguably) 30 days' worth of backups of 1TB of production server.
Or, we could spend that same amount of money on 4 1TB drives (RAID1 with 1 hot spare and 1 cold spare (on hand so you don't have to worry about a drive failure while you wait for your next package from NewEgg), a cheapo tape drive, and enough tapes to be able to restore data from 30 months ago, instead of 30 days.
Enterprise-level staff never even thinks about it - tapes, like everything else, are cheaper in bulk, and they're not running multi-million(or billion)-dollar industries with consumer-grade equipment, so there's no price comparison whatsoever.
Is there a linux recycle bin implementation?
Yes, it's called "Trash" - but it only works if the delete function uses it.
Unfortunately, the penny-savers are also experts at the blame game, and have a disaster recovery plan of "point the finger at the IT guy".
Make sure you document every discussion of backup solutions with the beancounters, in case something actually happens before you convince them not to be dumb.
If you want your company to get better backups, run a simulation of what would happen if something failed.
Quickest and easiest way to do this in a dramatic way?
During a chat with the CEO, reach over and shut down a random server. Ask him where all the datas went, and how the company is going to operate without whatever data was on that server for however long it would take to recreate the data. Might get you fired, but might also make him reconsider the backup project he just axed because it would require him to put off that new car purchase for 6 weeks.
Just taking the devil's advocate position, here, but it sounds as if you have enough data that it might be worthwhile to move your data storage into the cloud, and access it from there - let the remote site's IT guys worry about the backups.
Offsite backups are what a lot of companies don't do. They might back up to tape, but the tapes are stored in a pile next to the server. And they never test them.
Agreed. One of the many phrases in my litany on customers backing up is "Yes, that safe is fireproof. For paper. Plastic melts at a much lower temperature than paper burns." Not only do not enough companies run backups on a regular and timely basis, but too many of the ones that do run backups don't see the need for having the storage media offsite.
Anecdotal evidence: I personally just installed ubuntu using software raid 1 on a desktop system - it added a single step to the installation process, and required me to use the "alternate install" cd instead of the standard live cd. The server install already has the required files.
Easy-peasy, although raid isn't a substitute for backups.
Are you trying to say that Microsoft doesn't have a track record of doing anything and everything they can to restrain competing operating systems?
Or are you trying to say that "considering a scenario wherein a monopoly desktop operating system vendor who has been caught several times doing unorthodox and illegal things to keep their desktop operating system monopoly safe would do anything they could to prevent their competition from being able to compete" makes me paranoid?
Also, you shouldn't have said "yet" if you were planning to add "... this time". And you can complain about my grammar nazism all you want to, but doing the same thing in a program or shell script would yield unexpected results - that's why syntax is so important.
Yeah, X3: Reunion. The game EVE-Online players go to when they get bored with computer-controlled guns.
There's a list here of a couple dozen free (as in beer and as in speech) games for Linux, many of which are really good.
This list is just the "very best" games, regardless of whether they are free or paid, open or closed source.
One of my favorite things about that site is the ability to filter by open/closed source, free/paid, and whether or not the game has been awarded a "Pengu's Choice". There are some really solid games out there, and many of the best ones run on Linux.
Please note that PenguSpy doesn't rely on wine, like my other list of games for Linux - these games all run natively on Linux, no wine required.
Now name popular games for linux not made by ID Software or ported by Loki.
From the wine app database, that I linked in my previous post:
Final Fantasy XI.
World of Warcraft.
StarCraft I and II.
Guild Wars.
Team Fortress 2.
Left 4 Dead.
Counter-Strike: Source.
Warcraft III.
Half-Life 2.
These are from the list of "Platinum" support, which states as its description "Applications which install and run flawlessly on an out-of-the-box Wine installation". You can go here for a list of 1,568 items listed as supported under wine with a rating of "Platinum", in the category "Games".
The "Gold" and "Silver" lists are rather extensive, as well, and the descriptions for those ratings lead me to believe those ratings will still be playable.
As an aside, you can play a perfect (and legal) reproduction of Quake 3 Arena at http://www.quakelive.com - in your browser, OS-agnostic, and at high frame rates. My machine pushes 125 fps at 1920x1080 (full screen) with all graphics options maxed and a dozen people in the arena, so it doesn't seem at all crippled by running in a browser plug-in.
Wow, that is confusing - I didn't know what C-11 was, so I Googled it... and the immigration bill is what came back.
Thanks for the clarification.
Ad hominem attacks are a dead giveaway for someone who hasn't got the critical thinking skills or factual basis to support their arguments.
That being said, I think you missed the operative sentence from the official apple development website's statement, there:
"Developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X."
In other words, Java may or may not make it to the next version of Mac OS - Oracle-supplied or not.
The information you're overlooking is that this is not an attack on UEFI, or the UEFI Secure Boot process.
The trick here is getting Windows to think it booted from a secure boot chain, and so not set off any alarms... even though it's already rooted by the time it thinks to check.
He probably should have waited until after W8 was released, now they have a chance to patch out all his hard work before anyone gets a chance to make use of it.
Microsoft is already aware of the contents of the entire paper, because he gave it to them.
Yup, nothing quite like booting up already rooted - which is what I believe this exploit does.
If I understand it properly, it allows the system to boot in an insecure way, then pulls a hand-wavy Jedi mind trick, telling Windows 8's SecureBoot that everything is fine, nothing's unsecure, all is well... the trick being that SecureBoot believes it.
this is just someone changing a bios setting and writing a bootloader
.. that is only 14k, and can be loaded via a CD or USB storage device. While disabling password authentication.
Admittedly, the part where physical access to the box is required makes it a bit more difficult to implement, but the fact remains that this is (allegedly) a method of defeating Windows 8's SecureBoot - remote delivery mechanisms can come later. Early versions will require breaking and entering, or social engineering, but this is nothing new to the dedicated IT criminal.
Also, I never stated this had anything to do with breaking UEFI. Nor did the bootkit's author.
Uhh UEFI literally has no MBR, it doesn't exist. So please explain to me how this exploit functions when the MBR doesn't exist? I think he is booting his drives in the wrong mode, which is to say legacy MBR mode instead of ADAPI/UEFI mode.
I'll explain it quite simply: It's not a UEFI exploit. The trick here is nothing to do with UEFI.
The trick is simply the ability to boot Windows 8 with SecureBoot enabled, and have it happily boot, thinking everything is hunky-dory, without actually having UEFI or its Secure Boot enabled (or even present).
Got it? This exploit fools the Windows 8 security feature called SecureBoot into thinking that it has booted from a secure boot chain, when in reality it not only hasn't done that, but is already rooted.
As I have stated over and over again in this thread, this hack doesn't have anything to do with UEFI, and it's not supposed to.
The target is Windows 8's SecureBoot technology. This hack allows one to boot from an unsecured boot chain, while telling SecureBoot "everything is ok, we're happilly booting from UEFI with a secure boot chain" - and SecureBoot believes it.
Car analogy: You push the button on the remote to lock the car doors, watch the lights flash and hear the alarm system "beep" to indicate that the doors are locked, and yet none of the locks are actually engaged.