At no point has anyone here stated that Microsoft is not evil. Yes, I'm defending them in this instance but that's purely because they're not to blame for OEM's potentially being shitty. The OEMs are (potentially) to blame for that. There's plenty of things Microsoft has done wrong that you can blame them for, but it's counter-productive to rag on them for stuff that has nothing to do with them (like this secure boot malarky), it's just a waste of time.
Speak with your wallets, there's plenty of manufacturers out there, giving you plenty of choice. The chances of them all removing a feature like this is pretty slim so just do a bit of research before you buy a new PC. If you got caught out, email your vendor for a BIOS update (or whatever the hell the UEFI equivalent will be). If that doesn't work, complain, start a site that lists OEMs based on how shitty they are, do the usual stuff, but at no point should you blame Microsoft for a decision they've left to the OEM.
Here, if you don't believe me, check this image out or this post on the BUILD blog.
@Jose Pedro Of course Windows is usable without secure boot -- just like the post stated:-)
How secure boot works with any other operating systems is obviously a question for those OS products:-) We focus our boot loader on Windows and there are a number of alternatives for people who wish to have other sets of functionality.
Read the rest of the thread, this has been discussed at least 3 times now: You are Wrong.
Windows will boot with secure boot disabled. All secure boot does is ensure that Windows hasn't been modified before UEFI tries to boot it. If you modify windows, secure boot will prevent it from booting. If you disable secure boot, both modified and unmodified windows installs will boot.
If you disable it then it is not genuine prevention any longer? If you disable it then win8 no longer boots.
Incorrect.
This seems to be a common misunderstanding with the whole thing. Windows will boot no matter what, be it secure or unsecure. It's not Windows' decision, it's the UEFI system's decision if it should boot windows, Linux or whatever.
The whole point of the secure boot is to prevent malware that fucks with the bootloader, allowing rootkits to be inserted into the Kernel before any anti-malware gets a chance to run.
This is how a chain of trust works.
A -> B -> C -> D
A, ideally, is some hardcoded software that cannot be modified. In games consoles, it's usually a part of a ROM or in the Xbox-360's case, it's on the CPU itself. It checks that B hasn't been modified in any way, shape or form and if it passes, boots it. B then does the same for C and so on and so forth.
The principal is exactly the same here. If you disable UEFI secure, all you're doing is saying "Dear A, don't bother checking B, just boot the fucking thing". B will then happily continue on as normal, booting C which then boots D. At some point, D can look back and check that A, B and C haven't been modified but it's almost pointless because if they've already been compromised, they'll feed the next in the chain whatever the fuck the compromiser wants it to.
A = UEFI bootloader B = Windows Bootloader C = Windows D = Anti-malware
You know something? I completely, utterly and wholeheartedly agree with this.
What I'm trying to get at is that everyone is jumping on Microsoft for this, when really it has little to do with them (aside from mandating that UEFI secure boot be enabled by default). Microsoft could turn around tomorrow and say "no actually it's fine, we don't want secure boot by default" and the situation wouldn't be any different at all - OEMs could still enable it and remove the option to disable it. Using your phone example - Google in no way demands that bootloaders be locked (and their own branded phones don't lock them), yet many manufacturers still do it. I really don't get why Microsoft keeps getting dragged into this when it's the OEMs you should be fighting.
Yes and they can also superimpose the windows logo on top of the screen so it's permanently there, no matter what you use it for. They could also install a flash chip that wipes the hard drive and installs windows every time you press the Windows key. They could also make it play a "BILL GATES OWNZ YOU!!!!" soundbyte upon startup. There's all sorts of things they could do, but that doesn't mean they'll do it. As has been stated several times before, all the Linux doomsday prophesies rely on the OEM removing the ability, not Microsoft. Until something actually happens in this regard, it's pure FUD and scaremongering from people who either just want to bash Microsoft for the sake of bashing them, or idiots who simply don't know any better. Or both.
I don't see how that's an issue at all? If you want to install Linux, chances are you're capable of hitting F12 at startup and switching an option off. If you're not capable of doing this, then what the hell are you trying to install another OS for? If you don't know about the option or BIOS, why would you want to disable it?
No, Windows will still boot just fine. It has to, otherwise it wouldn't work on older, BIOS-only machines. It's not about "Will windows boot if UEFI security fails", it's more "Will UEFI boot windows if security fails". Windows won't care what's telling it to boot, be it UEFI, Microsoft's own loader, GRUB or whatever, but UEFI will make a distinction about what it's prepared to boot.
There are also means for the OS (Any OS) to communicate with the UEFI system to determine how secure the boot was. If secure boot does somehow get disabled, Windows will boot just fine but you might get an error or a warning from your Anti-malware client letting you know that the boot couldn't be verified for security.
In Summation: There is a genuinely good reason for enabling secure boot (malware prevention - genuine malware prevention, not just some underhand tactic that's masquerading as malware protection) and as long as your OEM isn't a dick, you should be able to disable it much like how you can disable features in your BIOS today. The decision to remove that ability is down to the OEM, not Microsoft.
The main issue for me is that BIOS is just SLOW. For something that's stored in flash memory on the motherboard and is maybe a MB or two in size (if even that), it takes far too long to load up. Throw in RAID or AHCI and it doubles the boot time. BIOS is the main reason why your machine takes 30s longer to start up than it should. Now I'm not saying UEFI is perfect, it does seem to be a little over the top, but never the less if it allows me to have that instant-on computer that Intel has been promising us for the last decade or two, I'm all for it.
Indeed. Slashdot may have gone down in recent years and have a bit of a reputation for trolls and shills, but if you know how to navigate through the comments, it's still a golden source of insight, information and the occasional bit of wit. This comment thread shows that..
Call me ignorant here, but how hard would it be for people to enable TLS 1.1 or 1.2 support in browsers and sites, since that apparently isn't vulnerable?
What I don't understand is why they don't do a half way and release a new minor every 6 weeks and save the major versions for...well...major versions? Firefox went from 4.0.0 to 5.0.0, then a bugfix came out that was 5.0.1, then 6.0.0. Why didn't they just do 4.0, 4.1, 4.1.1, 4.2, etc? That would shut most people up and considering that little has changed between versions, would probably make extension developers' lives a bit easier. It also removes the superfluous middle digit.
As an avid Firefox user, I find I'm torn with this release method. It used to be that when a new version of Firefox came out, it was the shizzle to the nizzle, the bee's knees, the cat's...well you get the idea. Version 3 was leaps ahead of Version 2 and Version 2 made Version 1 look antiquated. However, that's partially because it took Mozilla so long to release them, over the course of a year or so, Firefox would go from being the most advanced, best browser out there to being outdated and slow. This was before Chrome came along, at least.
However, this release cycle doesn't seem to do anything other than piss people off. I actually don't mind it, it doesn't seem to get in the way for me and I do use several extensions, but the jump from 4, to 5, to 6 didn't seem to bring anything new to the table. I couldn't tell them apart without reading the changelog.
I'd move to Chrome, but it doesn't support Windows' DPI settings, so as a user with bad eyesight, this is a deal-breaker for me. Firefox handles it brilliantly.
This may be true, but DigiNotar wasn't the victim of some elite cyberhacker genius, the attacks used against them were relatively simple and, most importantly, preventable. Frankly, considering how they handled the situation and how much other forms of security rely on these certificates not being compromised, they deserve to go out of business. Let this be a lesson to all of the CA's out there - your security is of paramount importance.
IT's a whole mixture of things, really. From the OEM who releases a device/chipset-specific SDK, to the developer who decides to use it instead of the "general" ones, there's a lot of blame to go around and I very much doubt that Windows 8 will be much different.
Hopefully the ARM version will have some special branding so people will easily be able to tell them apart from the x86 versions. Even if it's a case of Windows 8 Professional E vs. Windows 8 Professional.
Android is fragmented in an almost identical way with apps being written for specific chips, such as Tegra.
Furthermore, Metro apps WILL work across both x86 and ARM windows 8 builds, much like regular Android apps will (or at least, are supposed to) work on any regular Android device.
Oh look, someone has carelessly left an illegal firearm just sitting here. I'd best pick it up so I can hand it in to the relevant.....hey wait...this feels kinda....nice.....yeah....this feels real nice. This makes me feel...powerful, like, like I could rob a bank! Yeah! I'm going to go rob that motherfuckin' bank!
How is forcing sites to opt for HTML5 instead of a proprietary plugin locking you into anything? Even ActiveX doesn't run in the metro browser. And if you RTFA. (Heaven forbid), you'll see that MS has went to great lengths to ensure that switching between metro and desktop is seamless.
And the fact that there was no flash support in Windows 7 (x64) wasn't due to windows not supporting plugins, it was due to Adobe not supporting Windows x64.
Once again, this is a stupid title for an article.
Here's the truth: Windows 8 supports everything Windows 7 supports. In Windows 8, there will be TWO IE browsers, though. The "regular", desktop browser which acts the same as IE9 does today (i.e. it will support plugins) and a "Metro-style" browser, which is more geared towards touch and tablet use. THIS is what won't support plugins. That's it! If you need to use a plugin, you can push a button and be taken to the desktop version of IE. Or, you know, use a different web browser.
Slashdot Mirror
At no point has anyone here stated that Microsoft is not evil. Yes, I'm defending them in this instance but that's purely because they're not to blame for OEM's potentially being shitty. The OEMs are (potentially) to blame for that.
There's plenty of things Microsoft has done wrong that you can blame them for, but it's counter-productive to rag on them for stuff that has nothing to do with them (like this secure boot malarky), it's just a waste of time.
Speak with your wallets, there's plenty of manufacturers out there, giving you plenty of choice. The chances of them all removing a feature like this is pretty slim so just do a bit of research before you buy a new PC. If you got caught out, email your vendor for a BIOS update (or whatever the hell the UEFI equivalent will be). If that doesn't work, complain, start a site that lists OEMs based on how shitty they are, do the usual stuff, but at no point should you blame Microsoft for a decision they've left to the OEM.
Here, if you don't believe me, check this image out or this post on the BUILD blog.
Read the rest of the thread, this has been discussed at least 3 times now: You are Wrong.
Windows will boot with secure boot disabled. All secure boot does is ensure that Windows hasn't been modified before UEFI tries to boot it. If you modify windows, secure boot will prevent it from booting. If you disable secure boot, both modified and unmodified windows installs will boot.
Incorrect.
This seems to be a common misunderstanding with the whole thing. Windows will boot no matter what, be it secure or unsecure. It's not Windows' decision, it's the UEFI system's decision if it should boot windows, Linux or whatever.
The whole point of the secure boot is to prevent malware that fucks with the bootloader, allowing rootkits to be inserted into the Kernel before any anti-malware gets a chance to run.
This is how a chain of trust works.
A -> B -> C -> D
A, ideally, is some hardcoded software that cannot be modified. In games consoles, it's usually a part of a ROM or in the Xbox-360's case, it's on the CPU itself. It checks that B hasn't been modified in any way, shape or form and if it passes, boots it. B then does the same for C and so on and so forth.
The principal is exactly the same here. If you disable UEFI secure, all you're doing is saying "Dear A, don't bother checking B, just boot the fucking thing". B will then happily continue on as normal, booting C which then boots D. At some point, D can look back and check that A, B and C haven't been modified but it's almost pointless because if they've already been compromised, they'll feed the next in the chain whatever the fuck the compromiser wants it to.
A = UEFI bootloader
B = Windows Bootloader
C = Windows
D = Anti-malware
You know something? I completely, utterly and wholeheartedly agree with this.
What I'm trying to get at is that everyone is jumping on Microsoft for this, when really it has little to do with them (aside from mandating that UEFI secure boot be enabled by default). Microsoft could turn around tomorrow and say "no actually it's fine, we don't want secure boot by default" and the situation wouldn't be any different at all - OEMs could still enable it and remove the option to disable it.
Using your phone example - Google in no way demands that bootloaders be locked (and their own branded phones don't lock them), yet many manufacturers still do it. I really don't get why Microsoft keeps getting dragged into this when it's the OEMs you should be fighting.
Yes and they can also superimpose the windows logo on top of the screen so it's permanently there, no matter what you use it for. They could also install a flash chip that wipes the hard drive and installs windows every time you press the Windows key. They could also make it play a "BILL GATES OWNZ YOU!!!!" soundbyte upon startup. There's all sorts of things they could do, but that doesn't mean they'll do it. As has been stated several times before, all the Linux doomsday prophesies rely on the OEM removing the ability, not Microsoft. Until something actually happens in this regard, it's pure FUD and scaremongering from people who either just want to bash Microsoft for the sake of bashing them, or idiots who simply don't know any better. Or both.
I don't see how that's an issue at all? If you want to install Linux, chances are you're capable of hitting F12 at startup and switching an option off. If you're not capable of doing this, then what the hell are you trying to install another OS for?
If you don't know about the option or BIOS, why would you want to disable it?
No, Windows will still boot just fine. It has to, otherwise it wouldn't work on older, BIOS-only machines. It's not about "Will windows boot if UEFI security fails", it's more "Will UEFI boot windows if security fails". Windows won't care what's telling it to boot, be it UEFI, Microsoft's own loader, GRUB or whatever, but UEFI will make a distinction about what it's prepared to boot.
There are also means for the OS (Any OS) to communicate with the UEFI system to determine how secure the boot was. If secure boot does somehow get disabled, Windows will boot just fine but you might get an error or a warning from your Anti-malware client letting you know that the boot couldn't be verified for security.
That screenshot is from the Tablet PC Microsoft themselves gave out at BUILD (before all this kerfuffle actually came up).
Just take a look at this image.
That's all you need to know.
In Summation: There is a genuinely good reason for enabling secure boot (malware prevention - genuine malware prevention, not just some underhand tactic that's masquerading as malware protection) and as long as your OEM isn't a dick, you should be able to disable it much like how you can disable features in your BIOS today. The decision to remove that ability is down to the OEM, not Microsoft.
Soooo....you're saying that UEFI isn't any faster than BIOS?
The main issue for me is that BIOS is just SLOW. For something that's stored in flash memory on the motherboard and is maybe a MB or two in size (if even that), it takes far too long to load up. Throw in RAID or AHCI and it doubles the boot time. BIOS is the main reason why your machine takes 30s longer to start up than it should.
Now I'm not saying UEFI is perfect, it does seem to be a little over the top, but never the less if it allows me to have that instant-on computer that Intel has been promising us for the last decade or two, I'm all for it.
Indeed. Slashdot may have gone down in recent years and have a bit of a reputation for trolls and shills, but if you know how to navigate through the comments, it's still a golden source of insight, information and the occasional bit of wit. This comment thread shows that..
You forgot the "here", but thanks for the effort!
Call me ignorant here, but how hard would it be for people to enable TLS 1.1 or 1.2 support in browsers and sites, since that apparently isn't vulnerable?
What I don't understand is why they don't do a half way and release a new minor every 6 weeks and save the major versions for...well...major versions? Firefox went from 4.0.0 to 5.0.0, then a bugfix came out that was 5.0.1, then 6.0.0. Why didn't they just do 4.0, 4.1, 4.1.1, 4.2, etc? That would shut most people up and considering that little has changed between versions, would probably make extension developers' lives a bit easier. It also removes the superfluous middle digit.
As an avid Firefox user, I find I'm torn with this release method. It used to be that when a new version of Firefox came out, it was the shizzle to the nizzle, the bee's knees, the cat's...well you get the idea. Version 3 was leaps ahead of Version 2 and Version 2 made Version 1 look antiquated. However, that's partially because it took Mozilla so long to release them, over the course of a year or so, Firefox would go from being the most advanced, best browser out there to being outdated and slow. This was before Chrome came along, at least.
However, this release cycle doesn't seem to do anything other than piss people off. I actually don't mind it, it doesn't seem to get in the way for me and I do use several extensions, but the jump from 4, to 5, to 6 didn't seem to bring anything new to the table. I couldn't tell them apart without reading the changelog.
I'd move to Chrome, but it doesn't support Windows' DPI settings, so as a user with bad eyesight, this is a deal-breaker for me. Firefox handles it brilliantly.
This may be true, but DigiNotar wasn't the victim of some elite cyberhacker genius, the attacks used against them were relatively simple and, most importantly, preventable. Frankly, considering how they handled the situation and how much other forms of security rely on these certificates not being compromised, they deserve to go out of business. Let this be a lesson to all of the CA's out there - your security is of paramount importance.
IT's a whole mixture of things, really. From the OEM who releases a device/chipset-specific SDK, to the developer who decides to use it instead of the "general" ones, there's a lot of blame to go around and I very much doubt that Windows 8 will be much different.
Hopefully the ARM version will have some special branding so people will easily be able to tell them apart from the x86 versions. Even if it's a case of Windows 8 Professional E vs. Windows 8 Professional.
Android is fragmented in an almost identical way with apps being written for specific chips, such as Tegra.
Furthermore, Metro apps WILL work across both x86 and ARM windows 8 builds, much like regular Android apps will (or at least, are supposed to) work on any regular Android device.
Oh look, someone has carelessly left an illegal firearm just sitting here. I'd best pick it up so I can hand it in to the relevant.....hey wait...this feels kinda....nice.....yeah....this feels real nice. This makes me feel...powerful, like, like I could rob a bank! Yeah! I'm going to go rob that motherfuckin' bank!
How is forcing sites to opt for HTML5 instead of a proprietary plugin locking you into anything? Even ActiveX doesn't run in the metro browser. And if you RTFA. (Heaven forbid), you'll see that MS has went to great lengths to ensure that switching between metro and desktop is seamless.
It's essentially a beta, but 64bit Flash for windows - http://labs.adobe.com/downloads/flashplayer11.html
And the fact that there was no flash support in Windows 7 (x64) wasn't due to windows not supporting plugins, it was due to Adobe not supporting Windows x64.
Once again, this is a stupid title for an article.
Here's the truth: Windows 8 supports everything Windows 7 supports. In Windows 8, there will be TWO IE browsers, though. The "regular", desktop browser which acts the same as IE9 does today (i.e. it will support plugins) and a "Metro-style" browser, which is more geared towards touch and tablet use. THIS is what won't support plugins. That's it!
If you need to use a plugin, you can push a button and be taken to the desktop version of IE. Or, you know, use a different web browser.
Ugly?