Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Australian Users Petitioning Against Windows 8 Secure Boot

Unknown Lamer posted more than 2 years ago | from the treacherous-computing-lives-again dept.

The Courts 386

In his first accepted submission, lukemartinez sends in an excerpt from a ZDNet article on continuing developments about Microsoft's UEFI secure boot requirements: "The Linux Australia community began petitioning the ACCC this week after Microsoft aired plans to mandate the enabling of Unified Extensible Firmware Interface's secure boot feature for devices bearing the 'Designed for Windows 8' logo. This means that any software or hardware that is to run on the firmware will need to be signed by Microsoft or the original equipment manufacturer (OEM) to be able to execute. This would make it impossible to install alternative operating systems like Linux..." Delimeter has further information on the petititions, and Matthew Garret recently posted a follow-up to Microsoft's response to the concerns about secure boot, calling them out on their misinformation.

cancel ×

386 comments

Sorry! There are no comments related to the filter you selected.

First Post (0)

Anonymous Coward | more than 2 years ago | (#37538910)

Signed by Microsoft to stop Linux hippies.

Only affects OEM stuff? (0)

Anonymous Coward | more than 2 years ago | (#37538944)

Doesn't this only affect OEM stuff, in which case, who cares.

Re:Only affects OEM stuff? (3, Informative)

Chrisq (894406) | more than 2 years ago | (#37538982)

Doesn't this only affect OEM stuff, in which case, who cares.

WTF are you talking about? It will affect any PC that you want to load another OS on.

Re:Only affects OEM stuff? (4, Informative)

Hatta (162192) | more than 2 years ago | (#37539038)

Anyone who wants to repurpose an OEM computer. Anyone who doesn't want to pay extra for jailbroken motherboards. Anyone who thinks people should own their property, instead of being beholden to the manufacturer.

That's who.

Re:Only affects OEM stuff? (1)

maxume (22995) | more than 2 years ago | (#37539218)

You won't be paying extra for jailbroken motherboards, you might be paying extra for motherboards with vendor supported methods for disabling secure boot or inserting user keys. Such boards will exist, corporate hardware buyers will demand them.

(A simple method is a switch or jumper, which should be quite safe from software tampering)

Re:Only affects OEM stuff? (3, Interesting)

jamesh (87723) | more than 2 years ago | (#37539292)

You won't be paying extra for jailbroken motherboards

You might be paying a fine for jailbreaking your motherboard though...

Re:Only affects OEM stuff? (1)

maxume (22995) | more than 2 years ago | (#37539330)

No, I won't. I'm aware enough that I will buy what I want and I am confident that there will be some lunatic hardware vendor choosing to market unlocked pc motherboards to paranoid nutbags like myself.

Re:Only affects OEM stuff? (4, Interesting)

JosKarith (757063) | more than 2 years ago | (#37539412)

Circumventing a protection system? I'm glad nobody passed a law boneheaded enough to make that illegal even if you're not breaching any copyright .
http://news.slashdot.org/story/11/09/27/2130245/canadian-government-says-drm-circumvention-not-related-to-copyright [slashdot.org]
Slowly the pieces are coming together...

Re:Only affects OEM stuff? (1)

maxume (22995) | more than 2 years ago | (#37539638)

If vendor A builds a board with, say, no support for uefi at all, what the hell are your conspirators going to argue that they are circumventing?

To be clear, this board would be like most of the hardware in existence right now.

Re:Only affects OEM stuff? (1)

Anonymous Coward | more than 2 years ago | (#37539084)

People who build their own desktops shouldn't be affected, however laptops and pre-built desktops usually come with a very pared down BIOS. Assuming this trend continues onto UEFI systems then it is possible that you won't have the option to disable secure boot and won't be able to run Linux on some laptops or store bought PCs.

To be honest I think secure boot is a good feature and should be included, just so long as Microsoft agreed to also require the ability to disable it before certifying. And even better if they also required the ability to install your own keys.

Re:Only affects OEM stuff? (1)

BrokenHalo (565198) | more than 2 years ago | (#37539438)

People who build their own desktops shouldn't be affected...

Wouldn't motherboard manufacturers roll over too? I can't see any of the major players volunteering to lock themselves out of the Windows 8 market. Fortunately I won't be in the market for a new mobo for some time, since I'm happy with the gear I have, but I can see this causing problems later on down the track. I really hope not, though.

Re:Only affects OEM stuff? (1)

sangreal66 (740295) | more than 2 years ago | (#37539620)

It's not a requirement for Windows 8. It is a requirement for 'Designed for Windows 8' OEM systems.

Re:Only affects OEM stuff? (3, Informative)

erroneus (253617) | more than 2 years ago | (#37539096)

Uh... "OEM" is pretty much every PC maker. And that's thing isn't it? In the case of Dell, you can be sure that consumer models will have their UEFI locked to Windows and the business models will still be allowed to run Windows XP - Windows 7 by disabling this feature. But as for being able to install new keys for other OSes? I'm going to simply doubt it because once that code is made available, you can expect malware to make use of it as well.

And here's the thing. In order to get better security, you pretty much HAVE to stop people from being able to do stupid things. It is precisely the user doing stupid things which is the most significant source and cause of security problems on PCs today. You can disable and limit things all day long, but in order for users/consumers to be able to make use of their stuff, they frequently need to disable security features as applications publishers and others are not always on board with security strategies. And let's be frank -- Microsoft hasn't been strongly security focused in the past. And the result of this past means a lot of old applications expect to live in a less secure environment. (And it's not like we haven't seen this in countless other ways such as a persisting need for MSIE6 because their browser was broken by design and applications written for it will not work with other browsers... lock-in worked for a while but was not considerate of the future.)

Is there an alternative approach? Can you allow users to do stupid things and maintain security? If there is a way, it has escaped my imagination.

Re:Only affects OEM stuff? (1)

grahamm (8844) | more than 2 years ago | (#37539268)

Allowing the user to intentionally add keys but preventing malware from doing so should not be too difficult for MB manufactures. Have a hardware jumper with 3 positions, 1) Do not enforce secure boot, 2) Enforce secure boot, 3) Only allow new keys to be added but do not allow the system to do anything else including booting.

Re:Only affects OEM stuff? (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37539102)

Are the motherboards upon which all of today's "DIY" just-plug-it-where-it-fits "custom built" computers depend not OEM now?

Yes, it definitely will affect OEM products(such as, oh, every laptop you might want to use); but team "Just Build Your Own!" isn't in a substantially better position unless the OEMs that make motherboards are substantially more helpful than the OEMs that make whiteboxes(and paying $50 extra for the "enthusiast edition" that lets you do your own keyfill isn't going to cut it)...

what about business? who may not want windows 8? (1)

Joe_Dragon (2206452) | more than 2 years ago | (#37539192)

and wants to load windows 7?

Some 3th party disk encryption system?

3th party imaging tools?

memtest?

windows xp? (for some old stuff that may only work with it?)

Linux (some business do run linux even if it's in a very limited way)

systems with deep freeze and other 3th party lock down apps.

Hunting... (1)

Zaldarr (2469168) | more than 2 years ago | (#37538958)

I'm hunting, but I can't seem to find exactly where to sign the petition in any of these links...

Re:Hunting... (5, Informative)

Zaldarr (2469168) | more than 2 years ago | (#37538978)

Re:Hunting... (1)

Richard_at_work (517087) | more than 2 years ago | (#37539364)

Can you find the anti-sign link?

Re:Hunting... (2)

drainbramage (588291) | more than 2 years ago | (#37538980)

Did you look down under?

Re:Hunting... (3, Insightful)

Bengie (1121981) | more than 2 years ago | (#37539416)

In other news, users petition to have Firewalls disabled, Microsoft force all users to have admin privs, and the removal of passwords.

When interviewing these users they had these things to say: "I love malware, someone has to" and "Pressing F12 at boot and disabling secure boot is too much work, I would rather troll every forum on the internet to sign petitions"

If you want to stand up for the rights of malware and rootkit creators everywhere, please help support this cause. Because.. "Someone has to love them"

Signing off, Bengie

1) Certs can be managed if your OEM doesn't suck. eg. Sign your own custom Linux kernel if you want
2) Win8 doesn't require secure boot to work, it just requires secure boot to put the logo on the PC
3) Secure boot can be disabled, again assuming your OEM doesn't suck
4) IT would have a shit storm if they couldn't manage this
5) Server admins would have a shit storm if they couldn't manage this
6) Someone would lose a job at Dell/HP/Gateway/etc if the end user couldn't manage this
7) This effectively makes it impossible, with current malware, to ever take over a PC

I have yet to hear a logical argument against secure boot, just lots of emo and fud.

Re:Hunting... (0)

Anonymous Coward | more than 2 years ago | (#37539534)

...if your OEM doesn't suck.

...assuming your OEM doesn't suck

I dunno man... That's a big IF. ...btw, wasn't there an article posted here on slashdot within the past few days, questioning whether NewEgg was obsolete? Meethinks not.

Petition to ignorance (2, Insightful)

Manip (656104) | more than 2 years ago | (#37539002)

This petition and the signers of it just show that they're ignorant of the technology and the implementation of it. Unfortunately you might have government bodies thinking there is no smoke without fire, and making threats about this or that. But truth is this is a manufactured story that really has yet to cause anyone any problems.

Let me ask you this: Who has built a system with a UEFI subsystem which doesn't allow Secure Boot to be disabled by the user? Answer: Nobody.

Re:Petition to ignorance (2)

CaptainJeff (731782) | more than 2 years ago | (#37539080)

This.

UEFI Secure Boot allows you (the user/owner of the machine) to choose to verify that what you are truly booting is what you think it is. If you boot Windows 8 using this approach, you gain a higher degree of assurance that you're booting legit Microsoft code and not something that someone has infected your computer with. This is a big win for the *vast* majority of desktop users as most of them run Windows and most of them have a legitimate desire to not get bit by malware.

If you to not use this, and want to run Linux, one of the BSDs, or anything else, go into your BIOS and turn it off. Plain and simple. You can boot anything darn thing you want, you just don't get the cryptographic verification that you're booting what you think you are. *Your Choice.*

Re:Petition to ignorance (-1)

Anonymous Coward | more than 2 years ago | (#37539338)

Please.

From the last link in the summary: "Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option."

Do you really think that if MS can get away with this, they will never try to go beyond it? How about a DRM watchdog that monitors all your file transfers? A MAFIAA-mandated rootkit that automatically files charges when you listen to a CD? A built-in webcam that can be controlled by the vendor at any time?

There is no difference between security and control when it comes to a proprietary OS: both serve to protect the system from the user.

apt captcha: naively

Re:Petition to ignorance (3, Interesting)

gstoddart (321705) | more than 2 years ago | (#37539090)

But truth is this is a manufactured story that really has yet to cause anyone any problems.

Because they haven't shipped any yet, that's why.

Let me ask you this: Who has built a system with a UEFI subsystem which doesn't allow Secure Boot to be disabled by the user? Answer: Nobody.

And, who has seen a UEFI system which says it's been designed for Windows 8 they could test this against? Answer: Nobody.

In the hands of Microsoft, I believe entirely they would insist their vendors build a machine which is really only capable of booting Windows without basically violating ACTA or something. They've never demonstrated any compunction about forcing lock-in if they get a chance. In fact, they have a strong preference for it.

Hell, it took literally years and a bunch of lawsuits to buy a whitebox PC without Microsoft getting paid for the OS even if you didn't want it and weren't going to use it ... you think they'd hesitate to insist vendors ship something locked down to them?

The reality is, almost any tech company would lock you into their product so fast it's not funny.

Re:Petition to ignorance (0)

Anonymous Coward | more than 2 years ago | (#37539410)

If you don't like the product. Do not buy the product. That is what Free Enterprise is all about. Let the market, not the courts decide.

Re:Petition to ignorance (3, Insightful)

gstoddart (321705) | more than 2 years ago | (#37539642)

If you don't like the product. Do not buy the product. That is what Free Enterprise is all about. Let the market, not the courts decide.

Blah blah blah.

The free market never reaches optimal conditions. The free market allows the big players to change the rules and fuck us all over. The free market is an abstraction that doesn't exist.

If we let the markets decide, we'd all be running Microsoft operating systems on closed hardware, and it would spy on us. And we'd probably be driving cars which explode on contact.

Oh, and most of us wouldn't have survived to adulthood because companies would have replaces melamine for protein powder or other toxic shortcuts.

Your market does nothing more than look out for its own interests. It's incapable of doing the things you ascribe to it ... mostly it's just the rich eating the poor.

Re:Petition to ignorance (2)

brainzach (2032950) | more than 2 years ago | (#37539604)

You are just spreading FUD.

Windows 8 competes with Windows 7 and they have to allow users to upgrade with an old PC. It would be stupid to implement an OS that requires a Secure Boot mode, because it would mean that mean that users would have to buy new hardware.

Even if they did, there will be anti-trust litigation in both the US or EU. Microsoft has been in trouble in the past for bundling software, which is a far less serious offense than actually locking out the competition. Any attempt would just be negative publicity and could potentially bar them from selling in a major market.

It would be a stupid business decision especially when over 95% of consumers prefer Windows over Linux anyways. There is little to gain for Microsoft and a lot to lose

Re:Petition to ignorance (2)

Lieutenant_Dan (583843) | more than 2 years ago | (#37539116)

Exactly. This is for people who have no clue ... much ado about nothing.

http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface [wikipedia.org]

MS wants to present Win8 as a "secure" platform and UEFI in their minds is one piece of the puzzle. That's open to interpretation.

The options are:
a) disable UEFI in BIOS
b) don't purchase a system that UEFI implemented that cannot be disabled
c) urge your Linux-vendor (e.g. RH) to get on the UEFI bandwagon if you're so inclined

Re:Petition to ignorance (-1, Troll)

Alex Belits (437) | more than 2 years ago | (#37539222)

Microsoft marketing people sure are busy today.

Re:Petition to ignorance (1)

Lieutenant_Dan (583843) | more than 2 years ago | (#37539548)

Where exactly do you get the implication that I support MS in this? Because I don't take an active anti-MS stance like it seems to be prevalent here in /. land?

I remember when when the processor ID thing was implemented. Lots of uproar. Years later that option to enable/disable exists in the BIOS. If I recall correctly on my MB that setting was disabled by default.

Re:Petition to ignorance (1)

dougisfunny (1200171) | more than 2 years ago | (#37539400)

How exactly do you propose someone disable UEFI in BIOS?

Re:Petition to ignorance (1)

Lieutenant_Dan (583843) | more than 2 years ago | (#37539490)

Go into by BIOS and toggle the setting.

Re:Petition to ignorance (1)

stretch0611 (603238) | more than 2 years ago | (#37539418)

The options are:
a) disable UEFI in BIOS

Provided that this will be an option.

b) don't purchase a system that UEFI implemented that cannot be disabled

Probably the same chance of being able to buy a system today without windows... Which is a slight chance for a desktop and no chance for a laptop.

c) urge your Linux-vendor (e.g. RH) to get on the UEFI bandwagon if you're so inclined

And having these linux vendor keys pre-installed on a system has the same chance of getting a system with linux pre-installed. (i.e. you're screwed)
I can tell you right now that 3rd party keys will never be user installable. If they ever are this would be an attack vector. What use are secure keys if anyone can change them?

Re:Petition to ignorance (1)

Pax681 (1002592) | more than 2 years ago | (#37539492)

Exactly. This is for people who have no clue ... much ado about nothing.

http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface [wikipedia.org]

MS wants to present Win8 as a "secure" platform and UEFI in their minds is one piece of the puzzle. That's open to interpretation.

The options are: a) disable UEFI in BIOS b) don't purchase a system that UEFI implemented that cannot be disabled c) urge your Linux-vendor (e.g. RH) to get on the UEFI bandwagon if you're so inclined

ummmmm UEFI is REPLACING BIOS
so perhaps you mean entering the UEFI and switching off the secure boot option?????????
mind you that's IF the OEM gives you that option in the UEFI
i always build my own so won't have this problem and indeed in my new sandybridge Asus P8Z68-V PRO Z68 mobo i do have that option.. all good
i even tried it with windows 8 legitimately downloaded from HERE [tweaks.com]
and i have to say that windows 8 sucks major dick and i'll just leave the gaming with windows 7 thanks very much
so it boils down to ... build your own and keep control of running whatever you want on your machine ....or buying OEM and running what they let you ... unless you are lucky enough to be able to have the ability to turn off secure boot...... those are the APPARENT choices at the moment

Re:Petition to ignorance (1)

Anonymous Coward | more than 2 years ago | (#37539118)

Give them a finger, and they'll eventually take the whole arm, and then the rest of the body too. Even if it's possible to disable Secure Boot *now* (and we don't know for sure, since the system isn't out yet), how much would you be willing to bet that they won't attempt to remove that option in the future, for security?

The whole idea of Secure Boot is to take control away from the user, and we shouldn't allow that, not even one little bit.

Re:Petition to ignorance (0)

Anonymous Coward | more than 2 years ago | (#37539128)

Did you actually RTFA? Look at point 2. How long do you think people should wait before reacting? Until the market is already flooded with such systems?

Re:Petition to ignorance (3, Insightful)

karolbe (1661263) | more than 2 years ago | (#37539134)

It is just a matter of time when such systems will start appearing. I bought a laptop some time ago, and to my big surprise it had VT-x (Hardware Virtualization) flag disabled, enabling it by the vendor was just a matter of setting one bit in some processor registry, but still they decided to release BIOS without such option. You could buy similar laptop with VT-x enabled but it cost more. I expect that in 3 years time we will have to pay extra just to have Secure Boot option configurable. After all that feature will be purely for "experts" (that is Linux users) and they can afford paying more...

Re:Petition to ignorance (1)

L4t3r4lu5 (1216702) | more than 2 years ago | (#37539506)

This happens across all industries, not just IT. Cars which have 70, 90, and 120 hp variants often only require a new ECM mapping. There's an old model HP plotter in which, if you hold a certain set of keys at boot up and short a couple of pins, can be changed between monochrome and CMYK. That's no software change at all; It's all already within the machine when sold as monochrome, and you pay for the upgrade to colour.

As usual, the technical community will figure out how to get this functionality working or disabled, depending on motivation, and nothing will change at all. The only people who will lose out are the regular Joe home user (who won't care) and the ill-informed buyer (who will pay for the top-line model with the features we can get by hacking the damn thing).

Re:Petition to ignorance (1)

Darth Snowshoe (1434515) | more than 2 years ago | (#37539140)

See, you and I, we can just build a desktop system and, if what you say is true, there would be no problem.

But what about somebody like MY DAD, he hears about linux from the guys at work, decides to try it on his new, factory-built Windows PC? Where does this leave him?

I say this not euphemistically, I love my dad but he's a putz around computers, but I could easily imagine him and people like him attempting this. They'd basically be locked out, or screwed.

Re:Petition to ignorance (2)

CaptainJeff (731782) | more than 2 years ago | (#37539252)

But what about somebody like MY DAD, he hears about linux from the guys at work, decides to try it on his new, factory-built Windows PC? Where does this leave him?

I say this not euphemistically, I love my dad but he's a putz around computers, but I could easily imagine him and people like him attempting this. They'd basically be locked out, or screwed.

You worry about your dad needing to change one BIOS setting, but expect him to set up a dual boot environment to try Linux out? Or blow away Windows to install Linux? Huh.

As to where does this leave your dad? He should probably run Linux within a virtual machine on his new Windows PC. No mess, no fuss. Seriously, I've stopped dual booting systems years ago...with modern VT-enabled chips, virtualization is sooooooooooo much of a superior approach.

Re:Petition to ignorance (1)

Zerth (26112) | more than 2 years ago | (#37539374)

Perhaps he'd use a linux liveCD?

Re:Petition to ignorance (1)

Missing.Matter (1845576) | more than 2 years ago | (#37539432)

But what about somebody like MY DAD, he hears about linux from the guys at work, decides to try it on his new, factory-built Windows PC? Where does this leave him?

Right, because computer novices decide to install new operating systems all the time as it is. Must be why Linux has such a high market share. Now UEFI is his only hurdle! No. The reality is no one cares to install Linux, and the people that do care will know how to, UEFI or not.

Re:Petition to ignorance (0)

Anonymous Coward | more than 2 years ago | (#37539160)

There is nothing stopping manufactures from preventing or making it difficult for users to unlock the secure boot. In fact I predict many will keep it locked and perhaps only give you the unlock code if you agree to void your warranty. Such petitions could lead to laws that require manufacturers to include the unlock code with every new computer. Then M$ can still have its secure boot and customers can still do whatever they want.

Europeans (3, Insightful)

sg_oneill (159032) | more than 2 years ago | (#37539016)

I'd strongly implore europeans to look at similar moves. The EU courts have proven time again to have backbone when it comes to anti-competitive behaviour in the IT industry, and right now this is Microsoft playing the checkmate card its been threatening for a long long time.

Re:Europeans (2)

Richard_at_work (517087) | more than 2 years ago | (#37539126)

How about we wait for further information before freaking out like teenage girls when some rubbish boy band breaks up?

There has been fuck all in Microsofts announcements that suggests a motherboard manufacturer has to allow Windows and nothing else. There has been no suggestion that secure boot cannot be disabled. There has been no suggestion that the user won't be in control.

Hell, people should be applauding the securing of the boot process - I remember it being a huge problem on the Amiga with boot sector viruses, the same on DOS and pre-Internet-connected PCs, and now we have sen a resurgence in boot sector activity... Bring secure boot on, please!

Re:Europeans (0)

Anonymous Coward | more than 2 years ago | (#37539430)

There has been no suggestion that secure boot cannot be disabled.

For it to make any sense, at least a virus that found a root exploit must be unable to disable secure boot. This rules out any software option.
The only options left would be a BIOS/UEFI option (still dangerous, virus may use expoint to write to EPROM) or some kind of phisical switch (costs money).

So I find it very likely that hardware manufactures force the secure boot on us, disabeling Linux

Re:Europeans (2)

JaredOfEuropa (526365) | more than 2 years ago | (#37539168)

Microsoft are not mandating PC manufacturers to have UEFI, that's only if they want to slap the "Designed for Windows 8" logo on the case. Neighter are Microsoft preventing manufacturers from distributing keys for other OSes along with the Windows one. It's a bit farfetched to dollow the reasoning: "Windows 8 is the dominant OS, having a Windows 8 sticker on your brand of PCs is highly desirable, to get that sticker you need UEFI and the Windows key installed, which means that all PC manufacturers will enable UEFI, but they'll be too much of a slacker to add keys for other popular OSes, which effectively means that Microsoft is locking out other operating systems". It's doubtful the EU anti-competition watchdog will see it that way, especially since MS do not require manufacturers to prevent users from disabling UEFI to be allowed to bear the Windows 8 sticker, or to run Windows 8.

A question: does UEFI allow users to install additional keys later on?

Re:Europeans (1)

Dr_Barnowl (709838) | more than 2 years ago | (#37539494)

A question: does UEFI allow users to install additional keys later on?

I believe it does, but only from an OS that booted in trusted mode.

You may be able to do it from the UEFI interface,itself, but it would be kind of ironic to have to install Windows to "bless" your machine to secure-boot Linux.

Re:Europeans (1)

Sez Zero (586611) | more than 2 years ago | (#37539278)

... playing the checkmate card...

I admire your attempt at mixed-metaphor.

Re:Europeans (0)

Anonymous Coward | more than 2 years ago | (#37539314)

The EU courts have proven to be toothless in any significant capacity as well. MS is still doing business as usual. Same with Apple and their lock-in. Those guys were so eager to sign ACTA and show whose lapdogs they are, it is pathetic.

Wake us up when the EU does more than rattle off some anti-US speech.

honestly...so what? (0)

Anonymous Coward | more than 2 years ago | (#37539026)

Really though...who buys a vendor PC then slaps Linux on it? We build our PC's..

Re:honestly...so what? (4, Insightful)

Chrisq (894406) | more than 2 years ago | (#37539068)

Really though...who buys a vendor PC then slaps Linux on it? We build our PC's..

I did just that with my laptop

Re:honestly...so what? (2)

metalgamer84 (1916754) | more than 2 years ago | (#37539070)

I have with all my Dell work laptops and desktops that I run. Linux hosts, XP/7 virtual guests.

Re:honestly...so what? (1)

Anonymous Coward | more than 2 years ago | (#37539082)

And the mother board you buy will be similarly locked

Re:honestly...so what? (1)

Pax681 (1002592) | more than 2 years ago | (#37539562)

And the mother board you buy will be similarly locked

no they are NOT AC scaremonger... i have
http://www.ebuyer.com/267772-asus-p8z68-v-pro-z68-socket-1155-8-channel-hd-audio-atx-motherboard-p8z68-v-pro [ebuyer.com]
ad it boasts a funky range of features including /uefi and guess what???? you can disable secure boot!
so basically you talk crapioca or just make assumptions without any actual knowledge and spout....... crapioca

Re:honestly...so what? (1)

dc29A (636871) | more than 2 years ago | (#37539204)

Really though...who buys a vendor PC then slaps Linux on it? We build our PC's..

Right! I bought all pieces of my laptop and assembled it myself and installed Linux on it!

Oh wait ... I was dreaming again.

Really? (1)

Anonymous Coward | more than 2 years ago | (#37539046)

It seems the main complaint actually is that Microsoft does not require hardware manufacturers to allow users to disable secure boot, but that this is entirely up to the hardware manufacturers. I am not even sure Microsoft would be legally allowed to try to control what manufactureres do outside what is directly related to Windows (they can say that to use Windows logo you must boot this way, they can't tell the manufacturers what to do for other booting scenarios).

Vote with wallet and buy PCs that have the option to disable secure boot.

Re:Really? (1)

Tsingi (870990) | more than 2 years ago | (#37539178)

RTFA

Re:Really? (1)

Shompol (1690084) | more than 2 years ago | (#37539402)

Well, yes, your wallet is the one targeted in this operation. You will have to pay premium for an inferior system/motherboard just to have the "unlocked boot" -- strike that -- "Not certified for Windows" option. Add some patent royalties on top and suddenly it is more expensive to own a Linux system.

This also solves the problem of those pesky dual-boots: Windows will refuse run on unlocked BIOS computers, citing security issues. Want to run a windows app natively? -- buy a second computer.

EU (0)

Anonymous Coward | more than 2 years ago | (#37539058)

They probably will not be allowed to sell this shit in the EU due to anti-monopoly rules. An OEM isn't even allowed to charge money for Windows if the customer indicates they want to use something else (but they don't have to put windows on it either). They must offer an version without it (financially. They may put it on there but they can't charge for it), but they don't have to display it.

secure boot?? (1)

Twinbee (767046) | more than 2 years ago | (#37539066)

What's with all this secure boot crap anyway? When did anyone last get a virus, trojan or worm through the boot process and not through say the browser or a rogue piece of software?

Has Symantec or McAfee infiltrated into Microsoft or something?

Re:secure boot?? (3, Informative)

maxume (22995) | more than 2 years ago | (#37539148)

Secure boot prevents those other malwares from subverting the boot process.

Re:secure boot?? (0)

Anonymous Coward | more than 2 years ago | (#37539166)

No, dumba$s.. the virus can be loaded by any method. The boot sector is where it's run from.

Re:secure boot?? (4, Interesting)

Anonymous Coward | more than 2 years ago | (#37539196)

This isn't designed to stop viruses (though theoretically it could help a little), this is part of Microsoft's anti-piracy push. Current methods of pirating Windows involve loading up something before the kernel to trick Windows into thinking it is installed on a machine with an OEM license. Obviously if the BIOS won't hand off to unsigned code then this becomes impossible and this method of piracy (which has been in use since Vista's time) is no longer viable.

Hence why the don't want OEMs to give you the option to disable this feature or to load up your own keys. If they did then it would solely be a security feature and do nothing for piracy. Given that, it explains why Linux people are so worried, because Microsoft is pushing for exactly this and Linux is about to get caught in the crossfire.

Re:secure boot?? (1)

maxume (22995) | more than 2 years ago | (#37539306)

There is nothing out there to suggest that Windows 8 will require secure boot to run.

Actually, Microsoft has been stating otherwise.

Re:secure boot?? (1)

Riceballsan (816702) | more than 2 years ago | (#37539362)

It isn't from viruses that strike at the boot process, it prevents one that came in through a browser or rogue piece of software, from planting a root kit into the boot sector of the OS.

Want (1)

Gyorg_Lavode (520114) | more than 2 years ago | (#37539074)

Dear Microsoft,
Please include the requirement for secure boot. I know how to download vmware player to run the things I want to run in a virtual machine and I greatly desire to have a secure underpinning to my OS. Thanks.
Gabe

Re:Want (1)

KiloByte (825081) | more than 2 years ago | (#37539154)

Ok, but for that you'll have to boot a secure OS first so you can run Windows in that VM.

Re:Want (1)

Microlith (54737) | more than 2 years ago | (#37539594)

I know how to download vmware player to run the things I want to run in a virtual machine and I greatly desire to have a secure underpinning to my OS. Thanks.

That's nice. I hope you only like ever running Windows natively, and having to always put Linux in a VM.

So then don't buy it (0, Troll)

davek (18465) | more than 2 years ago | (#37539078)

Sheesh people, this is a free market. If you don't like it, don't buy it. It's not like these are mandatory government issued computers or something. On top of that, it is still cheaper to build your own machine and be your own Original Equipment Manufacturer.

This is a non-story.

Re:So then don't buy it (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37539176)

Are you planning to design and fab your own motherboard, as well? With the exception of hardcore; but largely irrelevant, hobbyists wire-wrapping their TTL micros, nobody "builds" computers. They buy a few high level chunks of a computer, with well defined physical and logical interfaces, and plug them in to one another. That doesn't make you an OEM, that makes your motherboard manufacturer the OEM and you the systems integrator. Unless you think that MSI will magically be more cooperative than Dell, that places you in exactly the same position...

Re:So then don't buy it (1)

maxume (22995) | more than 2 years ago | (#37539396)

Of course motherboard vendors will be cooperative, they are going to have to do the work for server boards, they will happily translate that work over to the lunatic market (I would include myself in there).

Re:So then don't buy it (1)

Shompol (1690084) | more than 2 years ago | (#37539238)

A "free market", 95% of which is controlled by one company, which also does not hesitate to use any means to squash any new competition?

Hmmm, let's look up the definition:

free mar-ket

noun

An economic system in which prices are determined by unrestricted competition between privately owned businesses [google.com]

Please enlighten us about the competition part and explain how it works when one "privately owned business" owns 95% of it.

Re:So then don't buy it (1)

MBC1977 (978793) | more than 2 years ago | (#37539244)

Your asking people to stop drinking the "sky is falling" cool-aid. Probably never will happen.

Re:So then don't buy it (1)

DaMattster (977781) | more than 2 years ago | (#37539274)

Sheesh people, this is a free market. If you don't like it, don't buy it. It's not like these are mandatory government issued computers or something. On top of that, it is still cheaper to build your own machine and be your own Original Equipment Manufacturer.

This is a non-story.

Whoever modded the parent a troll, should not have been given moderator points because this is simply an observation that is not designed to inflame. It is a free market so vote with your wallet as it is far more powerful and easier than seeking assistance from the legal system. If everyone refused to purchase hardware that has Microsoft's Big Brother Bootloader than you'll see how quickly OEMs will be releasing firmware updates to remove this because, last time I checked, a company needs to be ultimately profitable in order to be viable. OEMs would be picketing at Microsoft's door.

Re:So then don't buy it (1)

said213 (72685) | more than 2 years ago | (#37539366)

This highly dismissive post is intellectually dishonest.

It's like to chose to react and in doing so dismissed the notion of actual thought... Are you, at all, familiar with the "Slippery Slope" argument?

You are correct in that these will not be, "mandatory government issued computers or something."
They are, in fact, much worse... the government doesn't have a 90% market share on computer operating systems.

Impossible? (3, Interesting)

maxume (22995) | more than 2 years ago | (#37539110)

Only if there is no way to disable secure boot.

The problem here is that a majority of users are Windows users that will actually benefit from running a computer with a secure boot loader. So Microsoft is serving the interests of their users by pushing for secure boot.

The good reason to oppose secure boot is the fear that computers will ship locked to Microsoft's keys. Before petitioning the government to specify the terms under which Microsoft can offer a logo program, people should be encouraging Microsoft to add a requirement for a method of disabling secure boot to the logo program (this may well be futile...).

The reason for Microsoft to do this would be to put the whole damn issue behind them, and it only really matters for random consumer hardware that might end up with Linux on it, not a space they face much competition in.

(Server and business vendors will continue to sell their customers what they want, running arbitrary software on such systems will not be problematic)

Article Gives the Obvious Solution (2)

holophrastic (221104) | more than 2 years ago | (#37539132)

The article lists the hardware manufacturer -- the system builder -- as Microsoft's customer. This is not surprising, since they are the people giving money directly to microsoft.

So like with everything else in life, if you want to have control over something, all you need to do is to pay for it. You're welcomed to purchase your computer from Best Buy, and thus give Best Buy all of the control. Best Buy can choose what you'll get vis-a-vis the security of the OS. Or, you can do what many of us do.

You can purchase Windows 8 directly, and install it yourself. Then you'll be the "hardware manufacturer" (a term that's lost all meaning here), and you'll have complete control over it.

Welcome to the power of money.

Re:Article Gives the Obvious Solution (1)

DaMattster (977781) | more than 2 years ago | (#37539328)

I can also see a potential problem of paying twice for an OEM PC. Their is nothing to stop an OEM from first charging for the PC, then charging for the unlock of the bootloader. Furthermore, said OEM can threaten those who "jail break" their own PCs with voiding the warranty. I wonder if people that decide to purchase Windows 8 to use directly on a PC they built would be required to install some firmware update to give Microsoft its way.

Re:Article Gives the Obvious Solution (1)

holophrastic (221104) | more than 2 years ago | (#37539448)

No, you build it yourself, and all is good. You just won't have the "windows 8 logo certification" sticker -- which indicates that you built it yourself.

Huh? (1)

Junta (36770) | more than 2 years ago | (#37539480)

If you buy from Best Buy, you bought from a system builder who bought from Microsoft nearly certainly. Ignoring the money they already gave to MS and enabled secure boot by default as well and giving MS *more* money to acquire the *same* software that will also be signed in a way to pass the same secure boot checking is only different in how convoluted the scenario is.

Protesting having this enabled by default is a tad asinine for most desktop users. Demanding that Firmware be mandated to have a configuration setting allowing it to be disabled is reasonable.

There is a crowd of people with a legitimate issue. If you have an unattended mass deployment of non-signed software (e.g. you don't want a 'tech' babysitting any particular system), there is a significant problem. In enterprise system deployment, this could be construed as anti-competitive as MS is the only vendor with the leverage to get their signing keys everywhere.

Overall, however, I think Trusted Boot is a losing game in preventing malware. It means your rootkits have to get bigger and you probably have to build it out of a chain of signed software until you find a weakness, but unless you make the PC fundamentally less usable than it is today, there is going to be a weakness somewhere. For example, if you allow RH signing key and RH just signed grub and then was done with it, suddenly you have a Windows rootkit using grub chainloading malware then Windows.

Good Luck (2)

sgt scrub (869860) | more than 2 years ago | (#37539150)

I mean that sincerely but Microsoft has already implemented their legal stance, "It is not up to us. It is up to the vendor".

Re:Good Luck (1)

DaMattster (977781) | more than 2 years ago | (#37539350)

All the while preaching to the vendors on the merits of a locked bootloader.

Re:Good Luck (2)

Dr_Barnowl (709838) | more than 2 years ago | (#37539532)

Like "Hey, we'll give you preferential rates for OEM Windows 8 licenses if you have a locked bootloader."

Don't target Microsoft, target the OEM's (1)

Lose (1901896) | more than 2 years ago | (#37539308)

If even. No OEM is going to want to deal with the legal shit storm that would ensue from not offering an off switch to secure boot. Even if Microsoft bribed them to do it, it wouldn't happen.

Furthermore, if Microsoft did go around bribing OEM's into removing the off switch, governments and other software companies alike would be filing anti-trust lawsuits left and right.

There's nothing to worry about.

This issue isn't Microsoft's... (3, Insightful)

neokushan (932374) | more than 2 years ago | (#37539316)

..It's the OEM's. Nowhere does Microsoft mandate that OEMs must remove the option to disable UEFI secure boot, only that it's enabled by default.
For someone that's supposedly calling Microsoft out for misinformation, Matthew Garret does a great job of it himself. Here's a few points I noticed:

Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.

Which hardware vendors? Who? What hardware? Why? And what has that got to do with Microsoft?

Windows 8 certification does not require that the system ship with any keys other than Microsoft's.

And why shouldn't it? It also doesn't state that you can only ship Microsoft's keys. Why is it Microsoft's responsibility to get keys other than its own installed?

A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

Exactly, however a system that ships with UEFI secure boot and only includes a linux distribution's signing keys will only securely boot that linux distribution. Why is the latter ok, but the former not? Oh wait, because Microsoft is the big, bad buy? Once again - Microsoft doesn't mandate that UEFI secure boot be forced, its the OEM's decision to remove the option to disable it.

Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so.

Of course, this fails to mention (again) that OEMs are in no way forced to remove UEFI secure boot and by doing so, they'll be at a disadvantage in the marketplace and lose sales from people like this very writer....

Why is this a problem? Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's.

In short: Because Nobody else can have secure boot, why should Microsoft get to have it? Apparently that's bad for even the likes of AMD and Intel.
Nevermind that 99.99% of malware targets windows, that most "zombies" on the internet are Windows machines, that most spam is sent from windows machines, which affects everyone. In that instance, giving Windows machines that extra blip of security by default hardly seems like a bad thing.

What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware.

Woah woah woah! Didn't you just say that Microsoft were the only ones capable of forcing Manufacturers to include their signing keys? That the likes of AMD, Intel, etc. were unable to do this? How on earth did we suddenly jump from "nobody except Microsoft can include these keys" to "well actually certain people probably in some conspiratorial collaboration with Microsoft will get to include their keys...".

And let me reiterate a point that keeps coming up again and again...

The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice

How is that different to today's systems? Linux supports secure boot, but how many systems can actually use it? How many motherboards come with the ability to install those keys? Today, as things stand, nobody can install extra signing keys to securely boot the operating system of their choice.Once again, we're harking back to the "If we can't have it, then why should Microsoft?"

This whole thing stinks of misinformation and FUD. The OEMs are the ones you want to pressure, not Microsoft.

It's already been disproven... (0)

Anonymous Coward | more than 2 years ago | (#37539336)

Why do people hate progress?

UEFI and secure boot should NOT be a concern (0)

Anonymous Coward | more than 2 years ago | (#37539358)

Just a quite thought as I have held my tongue long enough but don't have to the time to argue my point. I would just say please read more about UEFI and it's extensibility properties.

First, secure boot will improve security 10 fold. Especially for non technical users. This will prevent MBR rootkits and other malicious software from targeting initialization software.

Second, Microsoft will have no control over your bootloader, the motherboard manufacturer does. As long as the mobo allows signed drivers by projects like Trusted Grub or Trusted Boot, you will be able to switch out the bootloader. Please seriously read the UEFI documentation as this is getting out of hand and many people appear ignorant.

Re:UEFI and secure boot should NOT be a concern (2)

pavera (320634) | more than 2 years ago | (#37539558)

I really doubt your claim of a 10 fold improvement in security. How many MBR rootkits have you cleaned up in the wild? How many lame malware infections have you seen/cleaned up in the wild (which secure boot won't help 1 iota)? For me those numbers are 0 to about 50,000 in the last 5 years.

Phishing and hacked websites that dump malware via browser bugs are the 2 biggest security threats I've seen in the last 5 years, and neither of these is even remotely addressed by secure boot, when someone comes up with a key signing scheme to stop phishing I'll listen to a "10 fold improvement" claim, not before.

Chalk up another one for RMS... (1)

MrKevvy (85565) | more than 2 years ago | (#37539360)

The Right To Read [gnu.org] from 1997:

Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers--you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.

Not so sensationalist or paranoid now, is it?

A BIOS with minimal features? (1)

ljw1004 (764174) | more than 2 years ago | (#37539420)

I have NEVER seen a BIOS with minimal features.

(The original RedHat complaint was that "MadeForWin8" machines must support UEFI, and must include Microsoft's boot keys; RedHat were worried that BIOS makers would ship with this bare minimum of support, i.e. not allowing you to disable UEFI or to add your own keys.) Disclaimer: I work at MS as a language designer.

Re:A BIOS with minimal features? (0)

Anonymous Coward | more than 2 years ago | (#37539544)

"I have NEVER seen a BIOS with minimal features."

    This is sarcasm, right?

Re:A BIOS with minimal features? (0)

Anonymous Coward | more than 2 years ago | (#37539632)

Most laptops I've used have the ability to change the boot order, system time, set a bios\boot password and maybe one or two other speciality features (like how much memory to allocate to a onboard gpu).

I actually can't think of a laptop bios that isn't minimal.

So Dont buy it (1)

MrJanos (2430246) | more than 2 years ago | (#37539440)

So basically, the hardware manufacturers that go for locked secure boot will see drops in sales, I guess. I sure wont buy it if I can't use what I want on it. That's stupid.

Embrace. Extend. Extinguish. (0)

mrflash818 (226638) | more than 2 years ago | (#37539444)

...I remember Microsoft's history up to this moment, and remind myself:

1. Convicted monopolist
http://en.wikipedia.org/wiki/United_States_v._Microsoft [wikipedia.org] [wikipedia.org] ...and their strategy of...

2. Embrace. Extend. Extinguish.
http://en.wikipedia.org/wiki/Embrace,_extend_and_extinguish [wikipedia.org] [wikipedia.org] ...and then...

3. I silently thank every person and organization that advocates, promotes, creates, and helps distribute Open Source, Linux, GNU, OpenOffice, Mozilla, GPL, Apache, FSF, and every non-M$ FOSS alternative I can think of.

Quit cryin you Linux beyotches (-1)

Anonymous Coward | more than 2 years ago | (#37539580)

You lost a long time ago, and you're still cryin' about it. Your OS isn't even a has been. It's a never was or will be.

cell phone style lockdowns (1)

dicobalt (1536225) | more than 2 years ago | (#37539612)

That's the side advantage to this security feature. It's a win-win for Microsoft. The cell phone industry has already set a precedent that this is an acceptable practice.

Correct me if im wrong (0)

Moheeheeko (1682914) | more than 2 years ago | (#37539622)

Doesnt Apple allready practice this? Where was the uproar and outrage then?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>