FSF Does Want Secure Boot; They Just Want It Under User Control 210
Yesterday, we ran a story with the headline "Free Software Foundation Campaigning To Stop UEFI SecureBoot." It's more complicated than that, though, writes gnujoshua: "We want computer manufacturers to implement Secure Boot in a way that is secure. If a user can't disable Secure Boot and they are unable to sign their own software (e.g., bootloader, OS, etc), then we call that particular implementation 'Restricted Boot.' We don't want computer makers to implement Restricted Boot. We want them to implement Secure Boot and to provide a way for individuals to install a fully free OS on their computers. Many computer makers are implementing UEFI Secure Boot in this way, and we want to continue encouraging them to do so." The complete text of the statement they'd like people to sign reads: "We, the undersigned, urge all computer makers implementing UEFI's so-called "Secure Boot" to do it in a way that allows free software operating systems to be installed. To respect user freedom and truly protect user security, manufacturers must either allow computer owners to disable the boot restrictions, or provide a sure-fire way for them to install and run a free software operating system of their choice. We commit that we will neither purchase nor recommend computers that strip users of this critical freedom, and we will actively urge people in our communities to avoid such jailed systems."
So then they're fine with Windows 8 (Score:5, Insightful)
Windows RT is a whole different matter, but Windows RT also accounts for about 0% of the tablet market right now. Why is the FSF making all this noise now, when Apple has been happily locking down the iPad since 2010? Microsoft is just joining the party, and it seems a little late for FSF to get self-righteous about it.
But more power to them I guess. It seems like a tough fight, however, when users have a great deal of choice between tablets (both locked and unlocked), even with the locking down of certain hardware.
Re:Its all in the language (Score:5, Insightful)
'Jailed' is the popular nomenclature. What do you think 'jailbreaking' means on your mobile device? It means unlocking the bootloader so it will boot unsigned or differently signed kernels. Doesnt sound patronizing to me, it sounds descriptive.
Re:Its all in the language (Score:5, Insightful)
Weaslly words? The lockdown in the name of "Secure Boot" is a weasel word. Calling it what it is in its implementation on ARM, "Restricted Boot" is not weasely--it's correct (cf. "Digital Rights Management" vs. "Digital Restrictions Management")
Re:So then they're fine with Windows 8 (Score:5, Insightful)
Why do people think that no one complained about Apple's lock down? They've had a walled garden in place since iOS 2.0 and it's always been a point of contention. Secure Boot just brings the threat of universal lock down that much closer.
Re:Its all in the language (Score:5, Insightful)
Most people buying a computer will hear "Secure Boot", and yell, "Good! Secure! War on Terror!"
When they hear "Restricted Boot", they will scream, "Bad! Restricted! War against my freedom!"
It's those folks who this wording is for, not Slashdot folks.
Re:What problem does it solve? (Score:4, Insightful)
This makes the job of a rootkit much harder and is one of the only arguments to give for die hard XP users who are chaining their old systems by their ankles for life afraid to upgrade.
It's not a case of being afraid to upgrade. It's the fact that users, companies and organisations have software and infrastructure that runs and is tested on XP and there is zero benefit to them changing it. Kind of like how a great deal of mainframe code is still written in COBOL. There is no benefit to rewriting it and people do not have the time or the resources. You might not like that but that's the real world.
It is not about DRM at all and is not used. A signed bootloader with the kernel path and device drivers prevent the next aulurion worm/rootkit from taking shape as nothing untrusted can run from the kernel.
Anything can be deemed to be untrusted, that's the problem. I'm afraid the rootkit/virus/security angle to this stuff is just an excuse, plain and simple.
It is great for corporate customers.
It's a disaster for corporate customers. They face a future of new hardware refusing to boot existing versions of Windows or any other operating systems, enforced upgrades and a spiralling in costs, licensing and otherwise. A rootkit is the least of their worries.
Wrong (Score:5, Insightful)
To replace the key and the boot-loader you have to disable "Secure Boot" in the firmware (Disabling by software is not allowed), then update the key (Means flashing a new version of the firmware) and the boot-loader and then reactivate "Secure Boot".
Now think of Average Joe or your grand mother and tell me how someone like them will accomplish this.
Replacing the keys doesn't require reflashing the firmware, you just need go into the UEFI setup screen and add or delete the keys you're interested in. If the key gets compromised, you just go to the setup, add the new key, boot and update the bootloader and go into the setup and remove the old key. Or, even easier, you update the boot-loader on a working system, then go into the UEFI setup and remove the old key and add the new key. The procedure you outlined is unnecessarily complex even assuming that you have to reflash the firmware to get new keys.
Re:What problem does it solve? (Score:4, Insightful)
I posted comments here debating slashdotters who feel anyone still running an old IE at work deserves to be hacked who do not understand corporate IT.
You feel free to debate other 'Slashdotters' as much as you like to fit your own arguments. There are other browsers available on XP besides IE since Microsoft claims they can't upgrade it.
Like the mainframes platforms of old there are solutions for them. Citrix and MS terminal servers are just 2 to run older software.
More complexity and more expense to continue running exactly what users were running before. The corporate world has no time for it. However, we still have forty year old COBOL code calculating our bank balances every day and people are not going to be rewriting what they have in .Net to run on a newer platform. There is only so much Microsoft can squeeze from that lemon.
The fact of the matter is new hardware does not like XP very well.
Well it wouldn't would it, you idiot? That's why corporations are virtualising old versions of Windows, but this presents Microsoft with a dilemma. Previously they depended on perpetual hardware upgrades but virtualising Windows allows corporations to continue functioning as normal and upgrade hardware pretty much forever. Enter 'Secure Boot'. Hardware that doesn't have the keys to boot 'foreign' hypervisor platforms and hypervisors implementing Secure Boot that have keys only to boot what they feel like.
These will get EOL'd and you are screwed as they wont run XP anymore by 2014.
People will care little. I know of people running NT 4, many virtualised, on closed off networks because they have applications on there that would take a great deal of time and effort they don't have to upgrade. Iit is simply the way the real world is.
It is a security risk, and the rest of the world who does not have your requirements are moving on.
The numbers in the corporate world who are still running XP tell you otherwise. They aren't moving on.
Already Office 2003 is not fully compatible with the newest .docx files in Office 2013 and sometimes Office 2010.
That's not anyone's problem but Microsoft. No one cares in the corporate world. Many have mail merges and Office BASIC tied into Office 97. They won't be rewritten. They already have all their documents in the old binary doc format and have no time to do conversions or find out if a new version of Office will actually open them.
Did you read about hte newest malware targetting the XP versions of Ie 8, 7, and 6?
The moral of the story? Don't use IE.
Who are you going to get support from after next year?
People are not phoning Microsoft up every day of the week getting support to keep their systems running. Things are a known quantity.
It is time to consider Hyper V, Windows Server 2003 terminals, and Citrix similiar to rally and x3700 IBM terminal software for these must have apps before it is too late.
More complexity the corporate world dislikes. However, those who have needed to virtualise and and run terminal sessions have been doing so. The trick with that though is that you don't need a magical desktop environment to run web or remote applications.
I disagree that a corporate customer wouldn't love to have documents time bomb, lock and encrypt files, and prevent software that is unathorized to steal keystrokes at bootup.
I thought this wasn't about DRM? ;-) Any experience of corporate IT tells you these are accidents waiting to happen. All you'll get is a load of support calls asking you why something doesn't work.
I know it is an uneccesary cost for you but come on? 12 years is a FUCKload A LOT of time and you