Australian Users Petitioning Against Windows 8 Secure Boot 386
In his first accepted submission, lukemartinez sends in an excerpt from a ZDNet article on continuing developments about Microsoft's UEFI secure boot requirements: "The Linux Australia community began petitioning the ACCC this week after Microsoft aired plans to mandate the enabling of Unified Extensible Firmware Interface's secure boot feature for devices bearing the 'Designed for Windows 8' logo. This means that any software or hardware that is to run on the firmware will need to be signed by Microsoft or the original equipment manufacturer (OEM) to be able to execute. This would make it impossible to install alternative operating systems like Linux..."
Delimeter has further information on the petititions, and Matthew Garret recently posted a follow-up to Microsoft's response to the concerns about secure boot, calling them out on their misinformation.
Petition to ignorance (Score:3, Insightful)
Let me ask you this: Who has built a system with a UEFI subsystem which doesn't allow Secure Boot to be disabled by the user? Answer: Nobody.
Re: (Score:3)
UEFI Secure Boot allows you (the user/owner of the machine) to choose to verify that what you are truly booting is what you think it is. If you boot Windows 8 using this approach, you gain a higher degree of assurance that you're booting legit Microsoft code and not something that someone has infected your computer with. This is a big win for the *vast* majority of desktop users as most of them run Windows and most of them have a legitimate desire to not get bit by malware.
If you to not use this, and
Re: (Score:2)
This is no different than most smartphones available today. Are you equally paranoid about those things happening on your phone?
Re:Petition to ignorance (Score:4, Interesting)
Because they haven't shipped any yet, that's why.
And, who has seen a UEFI system which says it's been designed for Windows 8 they could test this against? Answer: Nobody.
In the hands of Microsoft, I believe entirely they would insist their vendors build a machine which is really only capable of booting Windows without basically violating ACTA or something. They've never demonstrated any compunction about forcing lock-in if they get a chance. In fact, they have a strong preference for it.
Hell, it took literally years and a bunch of lawsuits to buy a whitebox PC without Microsoft getting paid for the OS even if you didn't want it and weren't going to use it ... you think they'd hesitate to insist vendors ship something locked down to them?
The reality is, almost any tech company would lock you into their product so fast it's not funny.
Re: (Score:3)
You are just spreading FUD.
Windows 8 competes with Windows 7 and they have to allow users to upgrade with an old PC. It would be stupid to implement an OS that requires a Secure Boot mode, because it would mean that mean that users would have to buy new hardware.
Even if they did, there will be anti-trust litigation in both the US or EU. Microsoft has been in trouble in the past for bundling software, which is a far less serious offense than actually locking out the competition. Any attempt would just be
Re: (Score:2)
Because they haven't shipped any yet, that's why.
So you are protesting something that doesnt even exist! Do you realize that there is no limit to what you might protest when you allow imaginary things to be protested?
Re:Petition to ignorance (Score:4, Insightful)
Blah blah blah.
The free market never reaches optimal conditions. The free market allows the big players to change the rules and fuck us all over. The free market is an abstraction that doesn't exist.
If we let the markets decide, we'd all be running Microsoft operating systems on closed hardware, and it would spy on us. And we'd probably be driving cars which explode on contact.
Oh, and most of us wouldn't have survived to adulthood because companies would have replaces melamine for protein powder or other toxic shortcuts.
Your market does nothing more than look out for its own interests. It's incapable of doing the things you ascribe to it ... mostly it's just the rich eating the poor.
Re: (Score:3)
*shrug* You're full of shit, and you're saying things as if they're facts.
I know a lot about how the proponents of free markets claim they work. I spent over a decade having drunk the kool-aid and reading Ayn Rand and Adam Smith and the Libertarians. I've got the whole set.
I've just come to the conclusion that it's a complete farce, doesn't work the way people claim it does, and is largely a Libertarian fantasy in which if everybody would just play by your rules we'd live in a utopian society -- same ol
Re: (Score:2)
That only works if there is more than one product to choose from.
Re: (Score:2)
Exactly. This is for people who have no clue ... much ado about nothing.
http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface [wikipedia.org]
MS wants to present Win8 as a "secure" platform and UEFI in their minds is one piece of the puzzle. That's open to interpretation.
The options are:
a) disable UEFI in BIOS
b) don't purchase a system that UEFI implemented that cannot be disabled
c) urge your Linux-vendor (e.g. RH) to get on the UEFI bandwagon if you're so inclined
Re: (Score:2)
How exactly do you propose someone disable UEFI in BIOS?
Re: (Score:2)
The options are:
a) disable UEFI in BIOS
Provided that this will be an option.
b) don't purchase a system that UEFI implemented that cannot be disabled
Probably the same chance of being able to buy a system today without windows... Which is a slight chance for a desktop and no chance for a laptop.
c) urge your Linux-vendor (e.g. RH) to get on the UEFI bandwagon if you're so inclined
And having these linux vendor keys pre-installed on a system has the same chance of getting a system with linux pre-installed. (i.e. you're screwed)
I can tell you right now that 3rd party keys will never be user installable. If they ever are this would be an attack vector. What use are secure keys if anyone can change them?
Re: (Score:2)
The options are:
a) disable UEFI in BIOS
Provided that this will be an option.
I have a feeling if this option is left out this would break a lot of existing full-disk encryption solutions out there: WinMagic, McAfee, Pointsec, etc. They all kick in before the OS loads, so anything that forces UEFI enabled all the time may significantly impact it. I used all three products and I've had to do a lot of tinkering with the BIOS on various Dell, HP, and Lenovo workstations we purchased over the years. I'm sure t
Re: (Score:2)
Provided that this will be an option.
So wouldnt the problem be that in theory it might sometimes be an option, rather than that Microsoft requires that the motherboard support secure boot for logo certification?
Isnt is thus true that your hate for Microsoft has caused you to go overboard, missing the mark completely because you can't see clearly?
Re: (Score:2)
Exactly. This is for people who have no clue ... much ado about nothing.
http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface [wikipedia.org]
MS wants to present Win8 as a "secure" platform and UEFI in their minds is one piece of the puzzle. That's open to interpretation.
The options are: a) disable UEFI in BIOS b) don't purchase a system that UEFI implemented that cannot be disabled c) urge your Linux-vendor (e.g. RH) to get on the UEFI bandwagon if you're so inclined
ummmmm UEFI is REPLACING BIOS
so perhaps you mean entering the UEFI and switching off the secure boot option?????????
mind you that's IF the OEM gives you that option in the UEFI
i always build my own so won't have this problem and indeed in my new sandybridge Asus P8Z68-V PRO Z68 mobo i do have that option.. all good
i even tried it with windows 8 legitimately downloaded from HERE [tweaks.com]
and i have to say that windows 8 sucks major dick and i'll just leave the gaming with windows 7 thanks very much
so it boi
Re: (Score:3, Insightful)
Re: (Score:2)
As usual, the technical community will figure out how to get this functionality working
Re: (Score:3)
But what about somebody like MY DAD, he hears about linux from the guys at work, decides to try it on his new, factory-built Windows PC? Where does this leave him?
I say this not euphemistically, I love my dad but he's a putz around computers, but I could easily imagine him and people like him attempting this. They'd basically be locked out, or screwed.
You worry about your dad needing to change one BIOS setting, but expect him to set up a dual boot environment to try Linux out? Or blow away Windows to install Linux? Huh.
As to where does this leave your dad? He should probably run Linux within a virtual machine on his new Windows PC. No mess, no fuss. Seriously, I've stopped dual booting systems years ago...with modern VT-enabled chips, virtualization is sooooooooooo much of a superior approach.
Re: (Score:2)
Perhaps he'd use a linux liveCD?
Re: (Score:2)
But what about somebody like MY DAD, he hears about linux from the guys at work, decides to try it on his new, factory-built Windows PC? Where does this leave him?
Right, because computer novices decide to install new operating systems all the time as it is. Must be why Linux has such a high market share. Now UEFI is his only hurdle! No. The reality is no one cares to install Linux, and the people that do care will know how to, UEFI or not.
Re: (Score:3)
When you are worried about problems that dont actually exist in a demonstrable reality, there is no limit to the kinds of things that you can 'react' to. You are acting like the Bush administration right now, crying wolf over things that 'might' happen, rather than deal with things that 'actually' happen.
Europeans (Score:4, Insightful)
I'd strongly implore europeans to look at similar moves. The EU courts have proven time again to have backbone when it comes to anti-competitive behaviour in the IT industry, and right now this is Microsoft playing the checkmate card its been threatening for a long long time.
Re: (Score:3)
How about we wait for further information before freaking out like teenage girls when some rubbish boy band breaks up?
There has been fuck all in Microsofts announcements that suggests a motherboard manufacturer has to allow Windows and nothing else. There has been no suggestion that secure boot cannot be disabled. There has been no suggestion that the user won't be in control.
Hell, people should be applauding the securing of the boot process - I remember it being a huge problem on the Amiga with boot secto
Re: (Score:2)
Really, you think it is " very likely" that manufacturers would force something on you that would not only disable 0.5% of their customer base, but also anyone wanting to run Windows XP, Windows Vista or Windows 7, a significantly larger portion of their customer base?
Or has no one really considered that angle of this?
There will be an option to disable this, I am in no doubt as to that.
Couldn't the mfr include certs for Windows pre-8? (Score:2)
Re: (Score:2)
And what if the binaries are not signed in the correct manner for UEFI? Its not just a case of there needing to be keys, but the signing mechanism also needs to be supported - and I'm doubtful as to whether or not XPs entire boot chain is even signed.
And by saying that Windows XP users can run it in Windows 7s XP mode, you just forced another purchase on them...
No, OEMs are going to accommodate these users - thats pretty much guaranteed.
Re: (Score:3)
Re: (Score:2)
A question: does UEFI allow users to install additional keys later on?
I believe it does, but only from an OS that booted in trusted mode.
You may be able to do it from the UEFI interface,itself, but it would be kind of ironic to have to install Windows to "bless" your machine to secure-boot Linux.
Re: (Score:3)
The MS blog post [msdn.com] discussing this specifically mentions a requirement that there is no programmatic control of secure boot policies. If it were possible to add certificates while the OS is running, it would be easier for malware to add those certificates themselves.
secure boot?? (Score:2)
What's with all this secure boot crap anyway? When did anyone last get a virus, trojan or worm through the boot process and not through say the browser or a rogue piece of software?
Has Symantec or McAfee infiltrated into Microsoft or something?
Re: (Score:3, Informative)
Secure boot prevents those other malwares from subverting the boot process.
Re:secure boot?? (Score:4, Interesting)
This isn't designed to stop viruses (though theoretically it could help a little), this is part of Microsoft's anti-piracy push. Current methods of pirating Windows involve loading up something before the kernel to trick Windows into thinking it is installed on a machine with an OEM license. Obviously if the BIOS won't hand off to unsigned code then this becomes impossible and this method of piracy (which has been in use since Vista's time) is no longer viable.
Hence why the don't want OEMs to give you the option to disable this feature or to load up your own keys. If they did then it would solely be a security feature and do nothing for piracy. Given that, it explains why Linux people are so worried, because Microsoft is pushing for exactly this and Linux is about to get caught in the crossfire.
Re: (Score:2)
Want (Score:2)
Please include the requirement for secure boot. I know how to download vmware player to run the things I want to run in a virtual machine and I greatly desire to have a secure underpinning to my OS. Thanks.
Gabe
Re: (Score:2)
Ok, but for that you'll have to boot a secure OS first so you can run Windows in that VM.
Re: (Score:2)
That's nice. I hope you only like ever running Windows natively, and having to always put Linux in a VM.
Impossible? (Score:3, Interesting)
Only if there is no way to disable secure boot.
The problem here is that a majority of users are Windows users that will actually benefit from running a computer with a secure boot loader. So Microsoft is serving the interests of their users by pushing for secure boot.
The good reason to oppose secure boot is the fear that computers will ship locked to Microsoft's keys. Before petitioning the government to specify the terms under which Microsoft can offer a logo program, people should be encouraging Microsoft to add a requirement for a method of disabling secure boot to the logo program (this may well be futile...).
The reason for Microsoft to do this would be to put the whole damn issue behind them, and it only really matters for random consumer hardware that might end up with Linux on it, not a space they face much competition in.
(Server and business vendors will continue to sell their customers what they want, running arbitrary software on such systems will not be problematic)
Re: (Score:3)
people should be encouraging Microsoft to add a requirement for a method of disabling secure boot to the logo program (this may well be futile...).
People should be encouraging their own government to add such a requirement for the OEMs. The problem is broader than Microsoft and Win8 - it's about being able to control what software runs on a PC you own, regardless of the exact mechanism, OS and vendor.
Article Gives the Obvious Solution (Score:3)
The article lists the hardware manufacturer -- the system builder -- as Microsoft's customer. This is not surprising, since they are the people giving money directly to microsoft.
So like with everything else in life, if you want to have control over something, all you need to do is to pay for it. You're welcomed to purchase your computer from Best Buy, and thus give Best Buy all of the control. Best Buy can choose what you'll get vis-a-vis the security of the OS. Or, you can do what many of us do.
You can purchase Windows 8 directly, and install it yourself. Then you'll be the "hardware manufacturer" (a term that's lost all meaning here), and you'll have complete control over it.
Welcome to the power of money.
Re: (Score:2)
Re: (Score:2)
No, you build it yourself, and all is good. You just won't have the "windows 8 logo certification" sticker -- which indicates that you built it yourself.
Laptops (Score:2)
No, you build it yourself
That works if you want a desktop PC, but how many end users actually build their own laptops?
Re: (Score:2)
Their is nothing to stop an OEM from first charging for the PC, then charging for the unlock of the bootloader.
Thats right.. there is nothing stopping them, yet in all these years the OEM's have never locked you to a particular OS, which would have benefited their support-cost bottom line all these years.
Hell, even Apple lets you boot other OS's on Macs.
Huh? (Score:2)
If you buy from Best Buy, you bought from a system builder who bought from Microsoft nearly certainly. Ignoring the money they already gave to MS and enabled secure boot by default as well and giving MS *more* money to acquire the *same* software that will also be signed in a way to pass the same secure boot checking is only different in how convoluted the scenario is.
Protesting having this enabled by default is a tad asinine for most desktop users. Demanding that Firmware be mandated to have a configurat
Re: (Score:3)
You're missing the point. Microsoft didn't restrict Best Buy from doing whatever Best Buy wanted to do. And you weren't forced to buy your computer from Best Buy. Every single problem that you have with this scenario is instantly gone when you buy windows yourself, and skip Best Buy entirely.
You shop at Best Buy, you get what Best Buy is willing to give to you. Or you can just go out and do it yourself. That's your choice.
So if you want to have control over windows, you need to buy windows from microso
Completely off the deep end.. (Score:3)
Wait, you don't think it's fair that a person -- not unlike yourself -- who owns an assembly business, should be able to attempt to sell whatever they choose? You think someone else's private business should be forced to sell what you want to buy?
The problem is that it's not the manufacturers that *want* to do this. If so, they could have done more by now. They've done the bare minimum that MS demands. It is not in their interest to potentially restrict OS choice, and the anti-rootkit benefits are dubious (unless *maybe* if you lock down only to MS). The problem is measures like this have a large potential to be very anti-competitive, which may be a lost cause since being a convicted monopolist hasn't really slowed them down in the least.
Used to be, you could purchase a computer with no OS at all. Now, the law says that it's illegal to do so.
Show m
Re: (Score:2)
Except that this is for the Windows 8 Logo. Many motherboards come with the Windows 8 Logo. I see nothing that restricts this to system builders.
Good Luck (Score:3)
I mean that sincerely but Microsoft has already implemented their legal stance, "It is not up to us. It is up to the vendor".
Re: (Score:2)
Re: (Score:3)
Like "Hey, we'll give you preferential rates for OEM Windows 8 licenses if you have a locked bootloader."
This issue isn't Microsoft's... (Score:4, Insightful)
..It's the OEM's. Nowhere does Microsoft mandate that OEMs must remove the option to disable UEFI secure boot, only that it's enabled by default.
For someone that's supposedly calling Microsoft out for misinformation, Matthew Garret does a great job of it himself. Here's a few points I noticed:
Which hardware vendors? Who? What hardware? Why? And what has that got to do with Microsoft?
And why shouldn't it? It also doesn't state that you can only ship Microsoft's keys. Why is it Microsoft's responsibility to get keys other than its own installed?
Exactly, however a system that ships with UEFI secure boot and only includes a linux distribution's signing keys will only securely boot that linux distribution. Why is the latter ok, but the former not? Oh wait, because Microsoft is the big, bad buy? Once again - Microsoft doesn't mandate that UEFI secure boot be forced, its the OEM's decision to remove the option to disable it.
Of course, this fails to mention (again) that OEMs are in no way forced to remove UEFI secure boot and by doing so, they'll be at a disadvantage in the marketplace and lose sales from people like this very writer....
In short: Because Nobody else can have secure boot, why should Microsoft get to have it? Apparently that's bad for even the likes of AMD and Intel.
Nevermind that 99.99% of malware targets windows, that most "zombies" on the internet are Windows machines, that most spam is sent from windows machines, which affects everyone. In that instance, giving Windows machines that extra blip of security by default hardly seems like a bad thing.
Woah woah woah! Didn't you just say that Microsoft were the only ones capable of forcing Manufacturers to include their signing keys? That the likes of AMD,
Re:This issue isn't Microsoft's... (Score:5, Insightful)
Which is a great dodge. Then they can apply quiet, behind the scenes pressure to remove the option. Some vendors omit options regardless (like disabling VT-x.)
Yep, we're heading into THOSE days where only a select handful of operating systems are allowed to boot. If we're lucky, we'll be able to boot Fedora and Ubuntu. Gentoo users? Fuck you.
Do you seriously think that users can pressure OEMs harder than MS can? MS can kill their business overnight, and I don't doubt they've learned a LOT about how to act in unethical manner even under the eye of the DoJ. No, this is MS pursuing something and, much like Apple, hoping the inertia of the masses who don't care can overwhelm the complaints of the minority that understand why such unilateral, non-disablable lock down is bad.
People are fighting so aggressively to defend MS, but in a few years we may wish for the day when we didn't have to violate the DMCA and ACTA to run whatever OS we choose on our systems.
Re:This issue isn't Microsoft's... (Score:5, Insightful)
Which is why I say we should pressure OEMs. This decision has nothing to do with Microsoft so people are ignoring it, despite the fact that it is still an issue that people should be concerned with.
No, we're not. The thing to keep in mind is that there's a distinction between simply booting and secure booting. Right now, no operating system can secure boot (as far as I'm aware, anyway - if there is hardware+software out there that can utilise this, please let me know) and Microsoft wants to push it for Windows 8. It would be nice if we can also utilise this for other operating systems as well (or rather, other boot loaders, like GRUB), however that task lies with the OEMs and their willingness to let us add our own keys. Like I said before - this is the OEM decision, not Microsoft's.
And there it is again! The assumption that you won't be able to disable secure boot. This assumption lies squarely with OEMs and not Microsoft.
Consumers don't need to pressure OEMs more than Microsoft, they just need to pressure them. Microsoft is pushing to enable secure boot by default, while us users should be pressuring OEMs to give us control over secure boot. They are two entirely different things.
Even if Microsoft changed their mind on the secure boot by default thing, we should still pressure OEMs to give us this control as it's a very useful security feature to have.
Now, of course there's that idea that Microsoft might be in the background pressuring OEMs to remove the option to disable it, but so far this is based entirely on conjecture and speculation. If Microsoft does try it, they'll be liable for a massive class-action lawsuit, something that would cost them a lot more than the 1-2% of the marketshare they could possibly gain by blocking Linux. Until that happens, it's a non-issue. Rather than moaning at Microsoft, we should be moaning at the OEMs because they're the ones that will be taking these options from us.
In the technology world, we shouldn't let the "maybes" get in the way of innovation. Secure boot would outrightly kill a lot of malware attacks, something that plagues windows a lot more than it does Linux.
Re: (Score:3)
Mod parent up...
Microsoft has a history of pressuring OEMs not to support alternative OSs, such as requiring a Windows fee on every desktop shipped, even if it didn't use Windows (and other less obvious pressure). It would be quite easy for them to exert some almost-deniable pressure to stop OEMs from shipping motherboards that have the option to disable secure boot. Then the (small) threat of Linux on the desktop would completely disappear - more seriously, a route for new people to learn to use and dev
This issue is Microsoft's because... (Score:3)
Microsoft have a dominant position in the desktop operating system market.
Why is it Microsoft's responsibility to get keys other than its own installed?
It is, for the same reason MS was forced to offer some choice for the Internet browser in Europe, remember ?
Oh wait, because Microsoft is the big, bad guy?
Big guy: yes, again we are talking about dominant position and its consequences, which lead to more power and possible abuses, thus the bad guy. Don't you remember some MS abuses?
Here's a few points I noticed: [...]
Add to those points: the dominant position of Microsoft. It should help a lot to understand Garrett's answer [dreamwidth.org]
Chalk up another one for RMS... (Score:2)
The Right To Read [gnu.org] from 1997:
Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers--you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.
Not so sensationalist or paranoid now, is it?
A BIOS with minimal features? (Score:2)
I have NEVER seen a BIOS with minimal features.
(The original RedHat complaint was that "MadeForWin8" machines must support UEFI, and must include Microsoft's boot keys; RedHat were worried that BIOS makers would ship with this bare minimum of support, i.e. not allowing you to disable UEFI or to add your own keys.) Disclaimer: I work at MS as a language designer.
Re: (Score:2)
Then you haven't used a laptop or desktop from a major vendor, whose BIOS contains usually no useful settings of note. Redhat is absolutely right to be worried that laptop vendors will ship systems without any interface to disable this, especially if they brand the machine a "Windows 8" machine and do the bare minimums to meet that logo requirement.
Re: (Score:2)
I have NEVER seen a BIOS with minimal features.
How about the BIOS of the original Xbox, which used some sort of secure boot measure to make sure it would run only Microsoft's dashboard?
Effects on Dual Boot? (Score:2)
At best, this is going to be a pain in the ass for people who dual boot.
Smart Aussies (Score:2)
While this may have little impact on the (large) US market, Australians might be in for a major jump in their (smaller) PC business. If they mandate an end user accessible UEFI 'switch', they'll grab a large part of the mail order PC business supporting alternate operating systems.
If they can differentiate themselves from the rest of the world markets (OK, they probably won't be the only country passing such a law), they could potentially turn themselves into a key player in s/w development for advanced sy
Dell Graphics Cards. (Score:2)
So, given that major OEM's tend to ship as minimal as possible BIOS/UEFI options: If you buy a Dell computer and cannot turn off secure boot, are you limited by hardware signing to Dell branded (and priced) graphics cards and etc?
Bill Gates sworn not to lock bootloaders (Score:2)
Re:Hunting... (Score:5, Informative)
Re: (Score:2)
Can you find the anti-sign link?
Re: (Score:2)
Did you look down under?
Re: (Score:3, Insightful)
In other news, users petition to have Firewalls disabled, Microsoft force all users to have admin privs, and the removal of passwords.
When interviewing these users they had these things to say: "I love malware, someone has to" and "Pressing F12 at boot and disabling secure boot is too much work, I would rather troll every forum on the internet to sign petitions"
If you want to stand up for the rights of malware and rootkit creators everywhere, please help support this cause. Because.. "Someone has to love th
Re:Hunting... (Score:5, Insightful)
In other news, users petition to have Firewalls disabled, Microsoft force all users to have admin privs, and the removal of passwords.
These things can be controlled for obvious reasons. What's being discussed here is what you can actually run on your computer from the start. An entirely different ball game.
When interviewing these users they had these things to say: "I love malware, someone has to"
Right.............
"Pressing F12 at boot and disabling secure boot is too much work
If you'd done some reading then you'd know that this F12 option will not always be there, nor is there any guarantee that it won't be removed.
If you want to stand up for the rights of malware and rootkit creators everywhere, please help support this cause. Because.. "Someone has to love them"
This will not help prevent malware or rootkits in any way over and above what is already done. Stop hiding behind the security reasoning, because it's crap. It still won't prevent vulnerabilities in the OS once it is running, which is where it is all happening anyway.
Certs can be managed if your OEM doesn't suck.
They will all suck. The EFI spec does not currently allow you to add your own keys. It's Microsoft or the OEM.
Win8 doesn't require secure boot to work
Future versions will once the hardware is widespread. This argument always makes me chuckle.
Secure boot can be disabled, again assuming your OEM doesn't suck
They will suck. See above.
IT would have a shit storm if they couldn't manage this
They will accept what they've been given, as always.
Server admins would have a shit storm if they couldn't manage this
See above.
Someone would lose a job at Dell/HP/Gateway/etc if the end user couldn't manage this
Utter crap.
This effectively makes it impossible, with current malware, to ever take over a PC
No, that is not the case because there will still be vulnerabilities in the OS. However, in order to do that we want it to make sure you cannot install anything but Windows? Interesting. We haven't even got into the ramifications for virtualisation, or how this might work in terms of individual hardware working on a motherboard in the future.......... It's a right mess.
This got modded insightful? Jesus.............
Re: (Score:2)
That's still an OEM issue, not an MS issue. I do understand the possible problem, but it would be *more work* and would piss off the users if OEMs didn't include this functionality. IT would require it and servers would require it. OEMs would have to have separate UEFI for corp models vs non-corp models. That would cost money.
So not only would not including cert management cost OEMs money, it would cost them business. Someone else would come along and allow cert management. Then more and more users would sw
Re: (Score:3)
I sincerely doubt secure boot is of any concern nowadays. While boot sector malware may still be feasible, it is extremely limited, to the point that it is quite difficult to locate people around you with such a problem.
This effort is more about controlling which operating systems can run on a PC than securing the boot process.
Re:Only affects OEM stuff? (Score:4, Informative)
Doesn't this only affect OEM stuff, in which case, who cares.
WTF are you talking about? It will affect any PC that you want to load another OS on.
Re: (Score:3, Insightful)
No, what the previous poster is stating is that it only impacts manufacturers that do not offer an option to disable the setting. I do not see how this is a MS issue. Microsoft is trying to make the boot process more secure. The only way to do that is to have something like Secure UEFI validate that malware isn't hijacking the system before the OS loads. If your hardware manufacturer isn't giving you the option to disable the feature if you want, then you should take that up with them, not MS. There is
Re: (Score:3)
It's also to prevent pirated copies of Windows and the cracks that essentially do hijack the boot process to make that copy of Windows appear valid.
Re:Only affects OEM stuff? (Score:5, Informative)
Anyone who wants to repurpose an OEM computer. Anyone who doesn't want to pay extra for jailbroken motherboards. Anyone who thinks people should own their property, instead of being beholden to the manufacturer.
That's who.
Re:Only affects OEM stuff? (Score:4, Interesting)
You won't be paying extra for jailbroken motherboards
You might be paying a fine for jailbreaking your motherboard though...
Re:Only affects OEM stuff? (Score:5, Interesting)
http://news.slashdot.org/story/11/09/27/2130245/canadian-government-says-drm-circumvention-not-related-to-copyright [slashdot.org]
Slowly the pieces are coming together...
Re: (Score:2)
I don't think that is the situation which causes concern. People will probably be able to still buy from the like of Asus, MSI, etc when building their PCs. The concern is the OEMs like Dell, HP, etc. With this new measure in place, consumers will not be able to repurpose those machines. If a fee is required, it hampers the used market. If no alternate keys are available, it kills the used market.
One thing not addressed is how MS intends to deal with enterprises some of whom will want to run an OS othe
...will stop being manufactured (Score:2)
Re: (Score:2)
You won't be paying extra for jailbroken motherboards, you might be paying extra for motherboards with vendor supported methods for disabling secure boot or inserting user keys.
What exactly is the difference from the owner's standpoint?You're still paying extra for something you've always expected to be able to do.
Re:Only affects OEM stuff? (Score:4, Informative)
Uh... "OEM" is pretty much every PC maker. And that's thing isn't it? In the case of Dell, you can be sure that consumer models will have their UEFI locked to Windows and the business models will still be allowed to run Windows XP - Windows 7 by disabling this feature. But as for being able to install new keys for other OSes? I'm going to simply doubt it because once that code is made available, you can expect malware to make use of it as well.
And here's the thing. In order to get better security, you pretty much HAVE to stop people from being able to do stupid things. It is precisely the user doing stupid things which is the most significant source and cause of security problems on PCs today. You can disable and limit things all day long, but in order for users/consumers to be able to make use of their stuff, they frequently need to disable security features as applications publishers and others are not always on board with security strategies. And let's be frank -- Microsoft hasn't been strongly security focused in the past. And the result of this past means a lot of old applications expect to live in a less secure environment. (And it's not like we haven't seen this in countless other ways such as a persisting need for MSIE6 because their browser was broken by design and applications written for it will not work with other browsers... lock-in worked for a while but was not considerate of the future.)
Is there an alternative approach? Can you allow users to do stupid things and maintain security? If there is a way, it has escaped my imagination.
Re: (Score:2)
Allowing the user to intentionally add keys but preventing malware from doing so should not be too difficult for MB manufactures. Have a hardware jumper with 3 positions, 1) Do not enforce secure boot, 2) Enforce secure boot, 3) Only allow new keys to be added but do not allow the system to do anything else including booting.
Re: (Score:2)
To be fair this would be two jumpers, since you don't seem to understand how jumpers work.
Thats like.... DOUBLE the work load. The motherboard would cost an extra $200 for that feature instead of $100.
Re: (Score:2)
Yes, it definitely will affect OEM products(such as, oh, every laptop you might want to use); but team "Just Build Your Own!" isn't in a substantially better position unless the OEMs that make motherboards are substantially more helpful than the OEMs that make whiteboxes(and paying $50 extra for the "enthusiast edition" that lets you do your own keyfill isn't going to cut it)...
what about business? who may not want windows 8? (Score:2)
and wants to load windows 7?
Some 3th party disk encryption system?
3th party imaging tools?
memtest?
windows xp? (for some old stuff that may only work with it?)
Linux (some business do run linux even if it's in a very limited way)
systems with deep freeze and other 3th party lock down apps.
Re: (Score:2)
It's not a requirement for Windows 8. It is a requirement for 'Designed for Windows 8' OEM systems.
Re:honestly...so what? (Score:5, Insightful)
Really though...who buys a vendor PC then slaps Linux on it? We build our PC's..
I did just that with my laptop
Re: (Score:2)
Re: (Score:2)
Really though...who buys a vendor PC then slaps Linux on it? We build our PC's..
Right! I bought all pieces of my laptop and assembled it myself and installed Linux on it!
Oh wait ... I was dreaming again.
Re: (Score:2)
And the mother board you buy will be similarly locked
no they are NOT AC scaremonger... i have /uefi and guess what???? you can disable secure boot!
http://www.ebuyer.com/267772-asus-p8z68-v-pro-z68-socket-1155-8-channel-hd-audio-atx-motherboard-p8z68-v-pro [ebuyer.com]
ad it boasts a funky range of features including
so basically you talk crapioca or just make assumptions without any actual knowledge and spout....... crapioca
Re: (Score:2)
Re: (Score:2)
Hmmm, let's look up the definition:
free mar-ket
noun
An economic system in which prices are determined by unrestricted competition between privately owned businesses [google.com]
Please enlighten us about the competition part and explain how it works when one "privately owned business" owns 95% of it.
Re: (Score:2)
Re: (Score:2)
Sheesh people, this is a free market. If you don't like it, don't buy it. It's not like these are mandatory government issued computers or something. On top of that, it is still cheaper to build your own machine and be your own Original Equipment Manufacturer.
This is a non-story.
Whoever modded the parent a troll, should not have been given moderator points because this is simply an observation that is not designed to inflame. It is a free market so vote with your wallet as it is far more powerful and easier than seeking assistance from the legal system. If everyone refused to purchase hardware that has Microsoft's Big Brother Bootloader than you'll see how quickly OEMs will be releasing firmware updates to remove this because, last time I checked, a company needs to be ultimately
Re: (Score:2)
Re: (Score:2)
This also solves the problem of those pesky dual-boots: Windows will refuse run on unlocked BIOS computers, citing security issues. Want to run a windows app natively? -- buy a second computer.
Re: (Score:3)
I really doubt your claim of a 10 fold improvement in security. How many MBR rootkits have you cleaned up in the wild? How many lame malware infections have you seen/cleaned up in the wild (which secure boot won't help 1 iota)? For me those numbers are 0 to about 50,000 in the last 5 years.
Phishing and hacked websites that dump malware via browser bugs are the 2 biggest security threats I've seen in the last 5 years, and neither of these is even remotely addressed by secure boot, when someone comes up wi
Re: (Score:2)
So basically, the hardware manufacturers that go for locked secure boot will see drops in sales, I guess. I sure wont buy it if I can't use what I want on it. That's stupid.
The reality of it is that most people will probably be apathetic and ignorant. Your garden variety users will want something easy to use where they don't have to think about it so in reality they won't see much of a drop in sales. Geeks like you and I will care so, inevitably, there will be a manufacturer or two that will spring up to cater to our needs.
Re: (Score:2)
Steve? Is that you?
You know we've told you being careful before.
yours sincerely
Microsoft Legal Department
PS : thanks for the fruit basket. The Mangos really cheered up my wife.
W dropped the charges (Score:2)
Re: (Score:2)
Because, as everyone knows, change is bad. Slashdot has a long, long history of going into over-the-top hysterics over inconsequential things. Remember all those stories about RFID? Same thing. Paranoid ranting by the alarmist wing of Slashdot. In defense of their ranting, however, I would point out that sometimes even a crazy person is right. Also, it's hard to say whether the paranoids were in a tizzy over nothing or, through protesting, they managed to mitigate something that could have been very b