Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Certificate Was Used To Sign Flame Malware

samzenpus posted more than 2 years ago | from the signing-dirty dept.

Microsoft 194

wiredmikey writes "Microsoft disclosed that 'unauthorized digital certificates derived from a Microsoft Certificate Authority' were used to sign components of the recently discovered Flame malware. 'We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,' Microsoft Security Response Center's Jonathan Ness wrote in a blog post. Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks. In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed."

Sorry! There are no comments related to the filter you selected.

why does the craigslist m4m section have so many (-1)

Anonymous Coward | more than 2 years ago | (#40208051)

disgusting old homos

Re:why does the craigslist m4m section have so man (-1)

Anonymous Coward | more than 2 years ago | (#40208171)

Totally off-topic, but probably because all the ones that are not disgusting don't have any trouble hooking up without a crutch like craigslist?

You know, just like all the other similar groups like m4w w4m etc.

Re:why does the craigslist m4m section have so man (0)

Anonymous Coward | more than 2 years ago | (#40209389)

ok i guess that explanes it

Surprised this isn't regulated more closely (5, Interesting)

danbuter (2019760) | more than 2 years ago | (#40208053)

I kind of thought Microsoft would make damn sure someone else couldn't duplicate their signatures (barring an employee or a government doing it).

Re:Surprised this isn't regulated more closely (2)

danbuter (2019760) | more than 2 years ago | (#40208059)

*certificates not signatures. Doh!

Re:Surprised this isn't regulated more closely (5, Insightful)

mcgrew (92797) | more than 2 years ago | (#40208389)

So much for "SafeBoot". maybe we shoulc now start calling it "unsafe boot"?

Re:Surprised this isn't regulated more closely (1)

leuk_he (194174) | more than 2 years ago | (#40208845)

Well,

YOu are already thrusting MS to run code (the "OS") on your computer. The boot is then the least of your worries. Unless you want to run an other OS. But as red-hat concluded, buying a 99 dollar certtificate was a better option than to setup your own CA.

Re:Surprised this isn't regulated more closely (5, Funny)

Anonymous Coward | more than 2 years ago | (#40209113)

Sorry, but when you run Windows, MS does the thrusting.

Re:Surprised this isn't regulated more closely (1)

Anonymous Coward | more than 2 years ago | (#40209413)

And if you like the thrusting, you buy Apple.

Re:Surprised this isn't regulated more closely (2)

gstoddart (321705) | more than 2 years ago | (#40209253)

YOu are already thrusting MS to run code

Mostly it feels like Microsoft is thrusting us. ;-)

Re:Surprised this isn't regulated more closely (0, Interesting)

Anonymous Coward | more than 2 years ago | (#40209701)

After about 5 years of not coming in contact with anything even vaguely Microsoftish (except maybe teller machines in check-out lines and the ticket terminals at the Portland Max stops), I just reinstalled XP on an ageing yet speedy little 3ghz p4 the other day and after getting the various sp's downloaded and installed, jumping through the usual hoops of somehow getting it registered correctly and setting things up all nice and pretty, I just have to say: ye gods - I hate Windows. I really, really just do.

I read somewhere a long time ago that the OS should be invisible to the applications when you're using them and I think this never rang truer than of Microsoft's 2,000lb Gorilla. After 5 hours of getting everything nice and tidy so actual programs could be installed, I ran back to my laptop (debian), opened the Gimp and just sat there drawing kindergarten-esque doodles for an hour to meditate the negative OS microwaving I'd just gotten out of my skull. I honestly hate to think I'm an OS hater, but cheesez...

Point? I don't suppose I have one other than exorcising that particular demon in public. However, I think that any company that has to protect ITSELF (claiming it's protecting me) when it's product is on my computer is NOT worthy of my trust and will never earn it by providing their own "certificates".

Please don't beat me for venting; just had to get that out...

Re:Surprised this isn't regulated more closely (1)

Errol backfiring (1280012) | more than 2 years ago | (#40209183)

No. "Protectionistic boot" is the most truthful term.

Re:Surprised this isn't regulated more closely (4, Interesting)

Dogtanian (588974) | more than 2 years ago | (#40208223)

I kind of thought Microsoft would make damn sure someone else couldn't duplicate their signatures (barring an employee or a government doing it).

Given the blurb for this story that also appeared today [slashdot.org] ...

All three were most likely developed by a Western intelligence agency as part of covert operations [..] consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets

I think that *this* part of your comment:-

(barring an employee or a government doing it)

may answer your own question. Aside from the fact that governments would have had massive resources to start off with, it's also probable that MS were (at least) forced to allow those governments access or involvement at some level to otherwise secure or confidential aspects of their software.

If this is the case, then at the very least, they could have used such knowledge to give themselves an advantage. Going one step further, it's possible that they used or exploited this to help steal or get access to those keys.

But given that it's widely claimed that the US government was involved in the creation of Stuxnet, it's equally plausible that MS willingly gave- or were pressurised into giving- them those certificates knowingly, even if they might not have known exactly what they were for.

This is just speculation- I don't know any of this for sure, or have any special knowledge of the situation. But it does add up to being at least plausible.

Re:Surprised this isn't regulated more closely (5, Informative)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#40208377)

The Feds may also be leaning on MS/Verisign/whoever; but this instance appears to be one of rather serious fuck-uppery. From MS's blog entry:

"What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure."

So, guys, turns out that we accidentally built our phone-home DRM such that the cryptographic "OK, your CALS are worthy unto Redmond and thou mayst remote desktop" message is also a valid signing key with a chain of trust going right back up to a default-trusted Microsoft cert... Oops.

Now, given that (so far as we know, clearly team AV isn't in any position to tell us) this little mistake was not widely known or exploited, clearly the Flame guys were on the ball(and far more interested in spying on Iran or whoever than in improving the security of domestic computers... thanks a whole fucking lot on that one, feds).

Re:Surprised this isn't regulated more closely (0)

Anonymous Coward | more than 2 years ago | (#40208443)

There's the possibility that the certificates are in the Windows source code, which I believe government agencies like the DoD request to have before they use proprietary software like Windows. However, the comment by fuzzyfuzzyfungus seems to indicate the attacks could've used an easier vector.

Re:Surprised this isn't regulated more closely (4, Insightful)

Spiked_Three (626260) | more than 2 years ago | (#40208613)

"This is just speculation- I don't know any of this for sure, or have any special knowledge of the situation. But it does add up to being at least plausible."

I have a little knowledge, not a lot, and yes this is exactly the kind of thing that can happen. it is quite impressive what happens when as a company you tell NSA no. In my limited experience, it changes to yes less than a month later.

Simple reality, microsoft probably let a bug/flaw slip through a while back, if that was not the case then they were told to. laugh all you want, but if any other operating system had been the target, do you think the outcome would have been any different? oh, and here is another amazing fact; it will happen again if desired.

Re:Surprised this isn't regulated more closely (4, Insightful)

Spyder (15137) | more than 2 years ago | (#40208563)

Stuxnet was signed by stolen certificates: http://www.securelist.com/en/analysis/204792208/Stuxnet_Duqu_The_Evolution_of_Drivers?print_mode=1 [securelist.com] . it's possible that Flamer was signed by compromised certificates, but if we believe that Stuxnet and Duqu were the products of a nation state level actor then we could conclude that Flamer is in the same category.

Re:Surprised this isn't regulated more closely (1)

Vlad_the_Inhaler (32958) | more than 2 years ago | (#40208871)

Back when Kaspersky first went public on Flame, I saw that one if the Israeli government ministers essentially said "didn't we do well!" a day or so later. I don't remember his name, it meant nothing to me.
Of course as a politician he could well have been misinformed, lying (trying to position himself as a hawk) or just too stupid to keep his mouth shut. On balance, I tend to see Israel being wholly or at least partially responsible - "partially" would probably implicate the US as partners. Why do the Iranians persist in using Windows?

Re:Surprised this isn't regulated more closely (1)

shentino (1139071) | more than 2 years ago | (#40208889)

Considering the recent escalations in state sponsored cyberwarfare I wouldn't be surprised if the NSA was involved in microsoft singing this stuff.

Re:Surprised this isn't regulated more closely (3, Interesting)

Alarash (746254) | more than 2 years ago | (#40209711)

I attended a Check Point keynote last near in Barcelona, where the speaker described how Stuxnet came to existence. Stuxnet also used digitally signed certificates used to authenticate a program's developer (usually a company). One came from Realtek, I forgot the other one.

The presenter said that these certificates had been signed by the CA that Microsoft delegated to these companies. Normally these CA servers stand in highly secured room, with no network connection whatsoever. The certificates still got leaked. Something similar must have happened here. These are highly sophisticated pieces of malware, with virtually no expense spared to build them (for the Stuxnet example, you had to have your own Siemens PLC, something huge and expensive and hard to come by). So it's not really surprising they could just pay a disgruntled employee, or hack into the building, or doing some James Bond stuff, or god knows what, to get their hands on these certificates.

Yay for security! (5, Funny)

Anonymous Coward | more than 2 years ago | (#40208055)

Proving once and for all that Microsoft's control of the bootloader key that is used everywhere will make all future computers more secure!

Re:Yay for security! (-1, Flamebait)

a90Tj2P7 (1533853) | more than 2 years ago | (#40208129)

You should probably do your homework. Microsoft's key will already be on Windows 8 Ready computers, that doesn't mean they control all of the secure boot keys. Companies can generate their own keys. They can run their own key servers. This is just uninformed FUD.

Re:Yay for security! (3, Informative)

the_B0fh (208483) | more than 2 years ago | (#40208175)

No, *MOTHERBOARD* manufacturers can add other keys. If you can't even boot to an alternative OS, there's no way in hell you could _CHANGE_ the damned keys, unless there was a vulnerability.

So please stop your FUD.

Re:Yay for security! (2, Informative)

Anonymous Coward | more than 2 years ago | (#40208287)

Wrong. On the x86_64 platform you will be able to boot into BIOS and add a new root key.

That is not true for ARM "Windows 8 Ready" platforms, but seriously who cares about ARM on the desktop?

Re:Yay for security! (5, Insightful)

peppepz (1311345) | more than 2 years ago | (#40208345)

First they came for ARM on the desktop, and I didn't speak because I didn't care...

Re:Yay for security! (4, Insightful)

recoiledsnake (879048) | more than 2 years ago | (#40209221)

No, first they came for phones and tablets, and they can barely keep them in stock with people falling over themselves and risking stampedes to buy them.

http://www.macobserver.com/tmo/article/gartner_apple_turns_its_complete_inventory_every_5_days/ [macobserver.com]

But somehow it's fashionable only to slag Microsoft on here and ignore the elephant in the room with the lion's share of devices and profits.

Re:Yay for security! (2)

EasyTarget (43516) | more than 2 years ago | (#40208455)

See comment by peppepz below, cludgy workarounds only available to geeks != freedom for the masses

Re:Yay for security! (1)

mlts (1038732) | more than 2 years ago | (#40208807)

Right now, ARM isn't that big, but there is a lot of talk about the jump to using ARM for servers and such because of the better MIPS per watt ratio it has over x86.

For things that are relatively lightweight in CPU, such as NTP servers, DNS, DHCP, and other basic services, ARM would excel. And MS demanding that only their key would ensure that every time ARM advanced in the enterprise, Windows would come with it.

Re:Yay for security! (1)

0123456 (636235) | more than 2 years ago | (#40209259)

And MS demanding that only their key would ensure that every time ARM advanced in the enterprise, Windows would come with it.

Except ARM machines are easy to build and most of them currently run Linux. Just because Windows tablets won't boot Linux doesn't mean that companies making ARM products would want to pay a Microsoft Tax on a $20 piece of hardware.

Re:Yay for security! (4, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#40208811)

That is not true for ARM "Windows 8 Ready" platforms, but seriously who cares about ARM on the desktop?

Maybe you are not creative enough to think of a reason to use ARM on a desktop? I can think of some:

  1. Low power situations -- I have a little ARM desktop that uses only 4W of power; this would be great if I were in a situation where I had to generate my own power, e.g. in a boat, in an RV, in a shack somewhere, etc.
  2. Low cost computers e.g. Raspberry Pi.

There you go, some situations where an ARM desktop might make sense. Really though, this misses the more important point: why should a computer user ever be barred from installing the software they want to install? Allowing people to install new signing keys for their computer is not at all unreasonable; it could be as simple as pressing a button and inserting a thumb drive (enough effort to make social engineering harder, but not so much effort that an untrained person would not be able to handle it).

Re:Yay for security! (2)

QuantumRiff (120817) | more than 2 years ago | (#40209785)

Why would anyone want a laptop with a 10 hour battery, that weighs almost nothing.. your right..

I would kill for one to come out, at a decent price point, to be my new Ubuntu powered laptop.

Re:Yay for security! (0, Flamebait)

a90Tj2P7 (1533853) | more than 2 years ago | (#40208611)

No, *MOTHERBOARD* manufacturers can add other keys. If you can't even boot to an alternative OS, there's no way in hell you could _CHANGE_ the damned keys, unless there was a vulnerability.

So please stop your FUD.

UEFI is the new BIOS, you don't need to boot into any alternative OS to manage it. For x86 systems, there is absolutely a means to change or add keys. This is widely-known and reported. Check your facts.

Re:Yay for security! (3, Interesting)

tepples (727027) | more than 2 years ago | (#40208681)

For x86 systems, there is absolutely a means to change or add keys.

So how will publishers of alternative operating systems be able to train home users in adding the key needed to install another operating system?

Re:Yay for security! (0)

Anonymous Coward | more than 2 years ago | (#40209093)

The same way they train home users to install another OS?

Re:Yay for security! (2)

tepples (727027) | more than 2 years ago | (#40209203)

Before UEFI Secure Boot, installing a new operating system was a matter of putting the CD in or plugging in the USB drive and rebooting. Recent versions of Ubuntu, for example, would give the option to shorten your Windows partition. But now, the problem will involve getting the new operating system's key into the UEFI environment.

Re:Yay for security! (1)

a90Tj2P7 (1533853) | more than 2 years ago | (#40209273)

And how many home users don't know how to burn an ISO, create a bootable flash drive, and/or check/change their boot order?

But now, the problem will involve getting the new operating system's key into the UEFI environment.

Yes, registering with MS for $99 (which goes entirely to Verisign) is an insurmountable problem.

Re:Yay for security! (0)

shiftless (410350) | more than 2 years ago | (#40209831)

Yes, registering with MS for $99 (which goes entirely to Verisign) is an insurmountable problem.

Damn right it's insurmountable. You think I'm sending Verisign $99 just to use my own goddamn computer? Fuck that shit. I don't support the security certificate racket. My insecure computer is fine with me, thanks.

Re:Yay for security! (1)

Anonymous Coward | more than 2 years ago | (#40210365)

Do you understand what you're talking about? The producer of the software (ex: Fedora), get a single licensed, once. Not the user, not per user. That makes zero sense. This isn't, in any way, about end-user licensing - it's about certifying the source of software.

If you support Verisign you support Norton (2)

tepples (727027) | more than 2 years ago | (#40210003)

Yes, registering with MS for $99 (which goes entirely to Verisign) is an insurmountable problem.

If each end user has to do it, then yes, it is insurmountable in practice. It's especially hard for people who disagree with the principles of Norton software, which is sold by the same company that bought Verisign's certificate business.

Re:If you support Verisign you support Norton (1)

a90Tj2P7 (1533853) | more than 2 years ago | (#40210289)

If each end user has to do it, then yes, it is insurmountable in practice.

Where did you even get that idea??? We're talking about the producers of the software registering a key, once. It has nothing to do with the users.

Re:If you support Verisign you support Norton (1)

tepples (727027) | more than 2 years ago | (#40210349)

We're talking about the producers of the software registering a key, once.

In that case, are you claiming that it is desirable that each operating system distributor must feed the Norton-Verisign racket?

Re:Yay for security! (0)

Anonymous Coward | more than 2 years ago | (#40209777)

To you it seems so simple. Try it with a typical home user. To a person like you, the UEFI key stuff will not be a problem. Whereas a normal home user won't even get to that step in the first place! They'd get stuck way before reaching there.

A typical home user wouldn't even be able to create a bootable USB drive by themselves, or even realize there's such a thing. They might not even know about the most popular Desktop Linux distro to bother downloading it. For most home users they buy a PC with the OS they want to use - Windows or OS X.

Re:Yay for security! (5, Insightful)

0123456 (636235) | more than 2 years ago | (#40209229)

The same way they train home users to install another OS?

Boot from CD and hit 'Install'?

Nope. Not going to work in the Glorious People's Secure Boot Dictatorship.

In fact, I presume you won't even be able to boot from CD without disabling 'Secure Boot' in the BIOS.

Re:Yay for security! (5, Interesting)

peppepz (1311345) | more than 2 years ago | (#40208241)

GP is perfectly right, if anything. Microsoft will control by default all bootloaders, and this event shows that Microsoft are unable to maintain their chain of trust. The fact that there can be (or not - cf. ARM) an undocumented, user-unfriendly, unspecified procedure to add other people's keys doesn't change a bit of that.

unauthorized digital certificates (-1)

Anonymous Coward | more than 2 years ago | (#40208079)

Yes, the 'unauthorized' digital certificates from a Microsoft Certificate Authority were just as "unauthorized" as the British passports used in the Mossad murder in Dubai.

Nice Headline (1, Interesting)

a90Tj2P7 (1533853) | more than 2 years ago | (#40208097)

"Microsoft Certificate Was Used To Sign Flame Malware" != "Counterfeit Microsoft Certificate Was Used To Sign Flame Malware"

Re:Nice Headline (4, Insightful)

K. S. Kyosuke (729550) | more than 2 years ago | (#40208227)

What exactly do you mean by "counterfeit"? If the signing key was signed by the genuine Microsoft key, how does that objectively differ from all the other signing keys?

Re:Nice Headline (0)

lemonfresh33 (1367367) | more than 2 years ago | (#40208331)

When they took Robert schiffreen to court in the early 80s they tried to prove he'd counterfieted passwords. If memory serves, they failed because copying! = copying.

Re:Nice Headline (2)

lemonfresh33 (1367367) | more than 2 years ago | (#40208341)

Oops... typo... Counterfeiting! =copying.

Re:Nice Headline (5, Informative)

joeflies (529536) | more than 2 years ago | (#40208231)

It was not a counterfeit microsoft certificate. It was a legitimate microsoft certificate from Terminal Server Licnensing Service, but used for purposes other than it was intended.

Re:Nice Headline (5, Informative)

Psykechan (255694) | more than 2 years ago | (#40208483)

The certs issues from the Terminal Server Licensing Service were intended to be used only for connections and not code signing. This is Microsoft's blunder. They weren't actually licensing malicious certificates but they were giving people tools to issue what appeared to be valid certs coming from MS.

The fixes are going to be changing TSLS so that its certs can no longer be used to sign code and revoking the intermediate CA certs that are affected.

http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx [technet.com]

Re:Nice Headline (1)

shentino (1139071) | more than 2 years ago | (#40208931)

The TSLS was a confused deputy.

Re:Nice Headline (1)

MightyYar (622222) | more than 2 years ago | (#40209497)

I don't know exactly how MS's certs work, but doesn't this mean that they can tell exactly which cert did the signing of the malware? That might be an interesting piece of information, even if it just leads to a dead end.

Re:Nice Headline (0)

Anonymous Coward | more than 2 years ago | (#40209857)

It probably leads to a certain government. Which is why this "interesting piece of information" will never be published.

Re:Nice Headline (1)

Zinho (17895) | more than 2 years ago | (#40210477)

... this "interesting piece of information" will never be published.

I agree with the sentiment, but if the cert is in the virus code then it's available to everyone who has a copy. Stuxnet is fairly widely distributed, and I'm sure every black hat organization that wants it has a copy. The U.S. Government may be able to strong-arm Kapersky and Norton, but I doubt they have much leverage over the Cult of the Dead Cow (or whoever the big player is this week). The U.S. Government may be able to strong arm Rupert Murdoch and the other modern-day Charles Foster Kanes, but there are plenty of bloggers looking to make a name for themselves, never mind all the foreign journalists for agencies like Al Jazeera.

As much as anyone in power may want to suppress this information, it's got literally the same problem as DRM on movie disks - the virus is intentionally broadcasting itself to the world, and needs to have the cert attached to work properly. If it can be analyzed to find incriminating information, and there is anyone motivated and skilled enough to do the analysis, I am sure they will have access to both the virus itself and the means to publish.

MAKES IT ALL WORTH SCAT !! AND THAT AIN'T MUCH !! (-1)

Anonymous Coward | more than 2 years ago | (#40208099)

Scat is shit, you see !! If you want some, there are ... shit ... loads here !!

Remember the Kernel Backdoor (4, Interesting)

Anonymous Coward | more than 2 years ago | (#40208109)

I think it was an SHS exploit or something in the Windows Kernel. Steve Gibson stepped through the Kernel and concluded that this vulnerability was an intentionally placed backdoor, perhaps by a Microsoft employee. It's in one of his earlier podcasts. Lots of people thought maybe he was crazy at the time, but in retrospect ... maybe not so much.

Re:Remember the Kernel Backdoor (2)

JustNiz (692889) | more than 2 years ago | (#40209771)

Nice to know that even now, after Microsoft have been bitten so many times, it still hasn't occurred to them to do security auditing of at least the kernel API before they release it as a global product.
And this is the company and product most businesses choose to trust? wow. and will be the authority for the trustable bootloader key.. again, wow.

Re:Remember the Kernel Backdoor (3, Interesting)

ChumpusRex2003 (726306) | more than 2 years ago | (#40209937)

I don't think Gibson found a kernel backdoor.

He did should very loudly about an intentional backdoor in the windows metafile image handler, which would start executing native code when a callback command was included in the script. He made a large number of spurious arguments as to why this was clearly intentional, as the vuln could only be triggered in very exceptional circumstances.

He was completely wrong about almost everything he said. The vuln was trivial to trigger, except when it was the last instruction in the script (which was the only way Gibson was testing). From the fact that he had great difficulty triggering it, requiring multiple parameters to be set to nonsense values, he concluded that this was clearly a deliberate backdoor.

It later came out from a number of MS insiders (incl. Mark Russinovich) that metafiles were a feature of Win 3, and were intended to be fully-trusted OS components (for rapid image drawing, and therefore had privileged access to a variety of internal system calls - notably the ability to set callbacks). The functionality was greatly increased in Win95 and later, with the original x86 hand-written assembly being ported directly, rather than rewritten. In the mists of time, the assumption of full-trust got lost.

How/why are iranians running windows anyways? (1)

Anonymous Coward | more than 2 years ago | (#40208115)

I thought they were under all kinds of "tough" sanctions? I guess not too tough for Microsoft to make a quick buck selling them their shitty OS!

Summary of TFA . . . (1)

InvisibleClergy (1430277) | more than 2 years ago | (#40208209)

Attackers broke an old form of security which has been relatively trivially patched. This is actually good for Microsoft, because (ideally) now they will review all of their old authorized keys and determine which would be easier to generate. So it's not like Microsoft included their Private Key in plaintext in some code somewhere, or anything like that.

Re:Summary of TFA . . . (1)

the_B0fh (208483) | more than 2 years ago | (#40208271)

They've stored their Private Key in plain text _somewhere_ even if that somewhere was an encrypted container that's locked away in Bill Gates' basement... :)

UEFI (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40208263)

And this is how they plan to monopolize Secure Boot (UEFI) and get rid of Linux? why should I trust that ONE KEY that microsoft plans to install on all motherboards?

JP

Re:UEFI (1, Informative)

KingMotley (944240) | more than 2 years ago | (#40208691)

First of all the Secure Boot in UEFI wasn't mandated by Microsoft, it a feature they they have decided to implement. A feature any OS is free to implement, including linux.
Secondly, motherboard manufacturers are able to add (or pre-add) any key (or none at all) if they choose.
Thirdly, there is nothing keeping users from being able to install their own key (or additional keys) through the UEFI boot process, assuming the UEFI manufacturer provides one.

Really, stop spreading your FUD.

Re:UEFI (5, Informative)

betterunixthanunix (980855) | more than 2 years ago | (#40208899)

First of all the Secure Boot in UEFI wasn't mandated by Microsoft

Except when it comes to Windows 8 on ARM systems. Then Microsoft does mandate secure boot.

A feature any OS is free to implement, including linux.

  1. Linux is not an operating system, it is a kernel.
  2. What difference does it make if other OSes support secure boot, if you cannot install those OSes as a result of secure boot being used?

Secondly, motherboard manufacturers are able to add (or pre-add) any key (or none at all) if they choose.

This is a cop out; unless there is a simple way for users to install their own keys, this is something that will further restrict how people can use their computers. You can jailbreak your iPad if you want, but the majority of people have trouble doing so.

Thirdly, there is nothing keeping users from being able to install their own key (or additional keys) through the UEFI boot process, assuming the UEFI manufacturer provides one.

...which is something Microsoft pressures them not to do on ARM devices:

https://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/ [softwarefreedom.org]

Really, stop spreading your FUD.

What FUD? We said years ago that iPad style lock-down is coming to desktops and laptops; now we have moved a step closer. There is a lot of money to be made from attacking computer users' freedom, and now that Apple has pulled in billions of dollars doing so, everyone else wants to join the party.

Re:UEFI (3, Informative)

a90Tj2P7 (1533853) | more than 2 years ago | (#40209205)

This is a cop out; unless there is a simple way for users to install their own keys, this is something that will further restrict how people can use their computers.

There is. UEFI isn't new, nor is secure boot. The only thing new is MS wanting to make it . There's a process for adding keys. Or the vendor can just pay $99 to Verisign like Fedora's doing. Even if you think that isn't "simple" enough, the feature can just be disabled on x86 machines.

Re:UEFI (1)

a90Tj2P7 (1533853) | more than 2 years ago | (#40209245)

The only thing new is MS wanting to make it a prerequisite for Win 8.*

Re:UEFI (5, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#40209353)

the vendor can just pay $99

The fact that this is phrased in terms of "vendors" should indicate that this is an attack on user freedom. A fee to install your signing key creates obstacles for anyone who wants to fork a GNU/Linux distribution (happens all the time), anyone who wants to create their own distribution, and anyone who wants to try "Linux from Scratch" (and I know of a few people who have done so). It also creates an obstacle for anyone who wants to write their own kernel or OS; if Linus Torvalds had to pay $99, the Linux kernel itself may never have been created.

Even if you think that isn't "simple" enough

The fact that money is involved makes it a major barrier, and counts very strongly against the process being "simple" (it requires a payment to be processed, a third party to the new key, etc. -- you cannot even test a system without the fee; compare with TLS, where you can generate a usable test certificate without paying anyone).

the feature can just be disabled on x86 machines.

Only if the motherboard manufacturer allows it, and this is not allowed on ARM machines that will run Windows 8. Considering the inroads ARM has made into personal computing, I do not think it is unfair to say that the decisions made today about ARM computers will shape the reality of personal computing over the next decade. We are already seeing this happening; app stores are the norm, people are talking about trendy apps, etc.

Re:UEFI (1)

KingMotley (944240) | more than 2 years ago | (#40209713)

Linux is not an operating system, it is a kernel.

Actually, it is an operating system. It by itself is just a kernel, granted, but an operating system kernel is itself an operating system. I realize you were just trying to point out a triviality, but you are incorrect in your terminology. You may not use the term in that fashion, and you may prefer to call linux the kernel where as {flavor of the month} as the operating system so that you can try and draw a line to show the difference to people that aren't familiar with it, but that doesn't make it incorrect to label it as such. The linux kernel meets every requirement necessary to be called an operating system itself. If you can find a definition of Operating System by ANY relevant source, please provide it, because it meets every definition I've ever heard of.

What difference does it make if other OSes support secure boot, if you cannot install those OSes as a result of secure boot being used?

Then disable secure boot.For example, hold down shift while you turn on the computer to enter the UEFI. Select the "Security" section, then uncheck "secure boot enabled". Click OK. Reboot. Boy, that was hard.

This is a cop out; unless there is a simple way for users to install their own keys, this is something that will further restrict how people can use their computers. You can jailbreak your iPad if you want, but the majority of people have trouble doing so.
There is a simple way for users to install their own keys, or disable secure boot entirely if they want. And selecting a menu option is not quite the same thing as download this program from this site, connect your iDevice, sideband load this, hit these 20 keys while you reboot, then make sure you check the version of iOS you are running because this backdoor doesn't work in the versions x,y,z.

...which is something Microsoft pressures them not to do on ARM devices:

https://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/ [softwarefreedom.org]

And you can't load an alternate OS on my refrigerator, my drier either, or my TV. While it's technically possible I suppose, people aren't demanding it, nor would I suspect a large amount of users want to buy an ARM based tablet with windows 8 and want to dual boot to another OS. There are plenty of devices out there that can run the OS of your choice.

Re:UEFI (1)

betterunixthanunix (980855) | more than 2 years ago | (#40210269)

Then disable secure boot.For example, hold down shift while you turn on the computer to enter the UEFI. Select the "Security" section, then uncheck "secure boot enabled". Click OK. Reboot. Boy, that was hard.

Except that you are not allowed to do so on ARM systems that run Windows 8, as per Microsoft's demands.

Re:UEFI (0)

Anonymous Coward | more than 2 years ago | (#40209881)

Linux is not an operating system, it is a kernel.

You stupid fucking cocksucker! 99.9% of readers here already know that. One single word can have more than one definition. If I post a comment on Slashdot stating that I run Linux on my home PC, which I would never do because I don't lick Stallman's shit-encrusted asshole, they know Linux is a kernel and they know I'm probably using it in conjunction with GNU software. God Damn, why can't people like you just go fuck yourself and not annoy the rest of humanity?

Re:UEFI (3, Interesting)

MickyTheIdiot (1032226) | more than 2 years ago | (#40209101)

But is Linux only able to join the party is it plays in the game Microsoft created? Do you have to be a multi-million dollar company to play? Can I write my own OS if I wanted to and have it boot "securely" on hardware that I own.

None of this seems answered right now. I know that the idiots in Washington DC think you have to be a company to make software, but when you implement that into the hardware it's total bullshit.

Re:UEFI (1)

MickyTheIdiot (1032226) | more than 2 years ago | (#40209131)

Also, it's a great way to get an OS labeled "insecure" by knownothings.

Re:UEFI (1)

KingMotley (944240) | more than 2 years ago | (#40209867)

That's because it IS "insecure".

Re:UEFI (0)

Anonymous Coward | more than 2 years ago | (#40209859)

But is Linux only able to join the party is it plays in the game Microsoft created?

You mean linux is only able to join the party if it plays the game that the consortium of hardware and software companies came up with to fix all the legacy problems with the older BIOSes? Why yes, linux is only able to currently join the party if it plays the game that we now call BIOS. Now it will have to play the UEFI game if it wants to run on UEFI enabled motherboards, or NOT. Feel free to stay with BIOS based motherboards until the year 2900 if you want.

Can I write my own OS if I wanted to and have it boot "securely" on hardware that I own.

Yes, just disable secure boot, or install your own key. Cryptography keys aren't hard to create. Anyone who is capable of writing an OS is capable of generating their own signing key, it's not rocket surgery.

Re:UEFI (0, Troll)

afidel (530433) | more than 2 years ago | (#40208709)

You are an idiot, the Windows 8 Ready program requires manufacturers to make adding additional secure boot keys available to the end user. Secure Boot isn't some conspiracy to get rid of Linux, it's an attempt to try to get rid of physical access == owned. Paranoid Linux lovers have turned it into a conspiracy because MS == evil in their eyes, whereas the real evils (Chinese government for one) are given a pass even though the attempt is to get rid of things like rootkits installed at customs.

Re:UEFI (-1)

afidel (530433) | more than 2 years ago | (#40209127)

This is not a troll, saying that MS is trying to eliminate Linux through secure boot is a troll....

Re:UEFI (1)

0123456 (636235) | more than 2 years ago | (#40209209)

This is not a troll, saying that MS is trying to eliminate Linux through secure boot is a troll....

Yes. I'm sure that Microsoft never even considered that requiring a Microsoft key to boot your PC (or having to jump through hoops to disable 'Windows Boot' rather than just install from a CD) would harm the competition.

Re:UEFI (0)

Anonymous Coward | more than 2 years ago | (#40209863)

What competition? Linux has a desktop usage share of less than 2% according to Wikipedia. And that's with the benefit of an unencumbered platform.

Re:UEFI (3, Interesting)

Culture20 (968837) | more than 2 years ago | (#40209309)

the Windows 8 Ready program requires manufacturers to make adding additional secure boot keys available to the end user. Secure Boot isn't some conspiracy to get rid of Linux, it's an attempt to try to get rid of physical access == owned.

Except it does nothing about that. Physical access still == owned unless you lock the bios/uefi and physically lock the machine. Otherwise the attacker can either take out the HDD or boot up a Linux live CD or other HDD by adding a new key. That's no different from the current state of affairs where we change the boot order, lock down the bios and lock the machine. That means the purpose for Secure Boot has to be something else... and easy money is on market dominance (even just joe-user home market dominance).

Re:UEFI (1)

shiftless (410350) | more than 2 years ago | (#40209871)

Secure Boot isn't some conspiracy to get rid of Linux, it's an attempt to try to get rid of physical access == owned.

Thanks Microsoft.... but no thanks. A shotgun (plus Truecrypt) is enough to protect my data.

Re:UEFI (0)

Anonymous Coward | more than 2 years ago | (#40209423)

why should I trust that ONE KEY that microsoft...

JP

Recently one of my friends, a computer wizard, paid me a visit. As we were talking I mentioned that I had recently installed Windows on my PC, I told him how happy I was with this operating system and showed him the Windows CD. Too my astonishment and distress he threw it into my micro-wave oven and turned it on. I was upset because the CD had become precious to me, but he said: 'Do not worry, it is unharmed.' After a few minutes he took the CD out, gave it to me and said: 'Take a close look at it.' To my surprise the CD was quite cold and it seemed to have become thicker and heavier than before. At first I could not see anything, but on the inner edge of the central hole I saw an inscription, in lines finer than anything I have ever seen before. The inscription shone piercingly bright, and yet remote, as if out of a great depth:

4F6E 6520 4F53 2074 6F20 7275 6C65 2074 6865 6D20 616C 6C2C 204F 6E65 204F 5320 746F
2066 696E 6420 7468 656D 2C0D 0A4F 6E65 204F 5320 746F 2062 7269 6E67 2074 6865 6D20
616C 6C20 616E 6420 696E 2074 6865 2064 6172 6B6E 6573 7320 6269 6E64 2074 6865 6D

'I cannot read the fiery letters,' I said.
'No,' he said, 'but I can. The letters are Hex, of an ancient mode, but the language is that of Microsoft, which I shall not utter here. But in common English this is what it says:'

        One OS to rule them all, One OS to find them,
        One OS to bring them all and in the darkness bind them.

One OS to rule them all [danny.oz.au]

Microsoft is in on it (1)

Anonymous Coward | more than 2 years ago | (#40208279)

They were totally in on it, and only issuing this advisory to cover their asses.

future of it all? bleak... (2)

darkob (634931) | more than 2 years ago | (#40208545)

I wonder how long will it take for the government(s) to decide they in fact own every computer (or at least it's processing capabilities) and issue some sort of mandatory backdoor. As it seems antivirus companies might be first compelled to "go along" with the new paradigm, by probably "not detecting" presence of some (government?!) software (that we oldfashionedly still call "malware", whereas these pieces of code are highly focused towards very specific target, so majority of users/comp. owners should have no problems whatsoever with the sinister part of said software). Indeed, grim future may even be "you should let that piece of software alone, if you have nothing to hide". Weather or not this story has anything to do with the _NSAKEY.

Re:future of it all? bleak... (1)

betterunixthanunix (980855) | more than 2 years ago | (#40208923)

I wonder how long will it take for the government(s) to decide they in fact own every computer (or at least it's processing capabilities) and issue some sort of mandatory backdoor.

What, you think this sort of thing has not already happened? Take a look at telecom equipment some time...

That's gotta hurt the bottomline... (0)

Anonymous Coward | more than 2 years ago | (#40208759)

I mean, if an America-hating country is paranoid enough they'll see this as Microsoft cooporating with american interests in order to bring a country down.

Bye Windows, hello home-rolled Dictatubuntu. "Sandbox-testing" just got a whole new meaning ^^

Re:That's gotta hurt the bottomline... (1)

couchslug (175151) | more than 2 years ago | (#40210147)

Why would THEY be "paranoid" when business and government in the US are one?

"Dictabuntu" does have a nice ring to it.

Simple (0)

Anonymous Coward | more than 2 years ago | (#40208965)

Remove Microsoft from your list of trusted CAs, because their certs can't be trusted.

This one might ... (0)

Anonymous Coward | more than 2 years ago | (#40209033)

... (arguably) be the first 0day in Flame. Let's see what is to come.

fake certificates, or sold certificates? (3, Interesting)

Edzilla2000 (1261030) | more than 2 years ago | (#40209063)

Considering that microsoft sold the possibility to sign ssl certificates for any domain to the late Tunisian government, why wouldn't they sell the same thing to the makers of that virus, if it really comes from a government?

source: http://arabcrunch.com/2011/09/wikileaks-microsoft-accused-in-helping-bin-ali-monitor-tunisians-corruption-stifling-open-source.html [arabcrunch.com]

Really? (5, Interesting)

Corson (746347) | more than 2 years ago | (#40209367)

Flamer is out in the wild since cca. 2007, with a MS signed certificate, and the only IT security organization that decides to bring it to public attention is a Russian company, and the first removal tool is from a Romanian company. Isn't this a bit strange? Isn't it more likely that this NA-designed spyware targetting the Middle East was released with the tacit agreement of Western security companies and it only became known because the Russians, for some reason, decided they would not play the game? Microsoft being unaware for thw last few years that hundreds of computers are infected with a 20 MB spyware pack bearing a security certifice of their own? Come on...

Gorgeous (0)

Anonymous Coward | more than 2 years ago | (#40209517)

What a delicious example of plausible deniability. If you don't believe them, you are paranoid. If you believe them, you have to willingly ignore Microsoft's rapacious, lying history. That it goes beyond what one might expect of incompetence, way off into Scott Adams' accounts of fictitious and roll on the ground laughing galactic screwups, implies that it was planned this way. But of course nobody would willingly do that, it's not even worth commenting about. Even the NSA is not that dumb. Or that smart. Or.. whatever, they are invisible and don't exist except in Hollywod. And when issuing secure linux operating systems.

Massive vulnerability is so massive, it's stupid. Massive corporation is so massive, it is holy. I believe the reason America greatly sucks right now is a fundamental cognitive dissonance. A flaw in the character that worked well in the 19th century but started to fail in the 20th and totally is epically failing in the 21st. It is clearly visible here. It's that Microsoft's greatest core competence, here beautifully demonstrated, is this totally crazy, smirking, malicious stupidity, it is so evil it is good, so hated that it is loved, a fundamental quantum impossibility that comes off as sexy panache on the TV sitcoms, that here simultaneously emphasizes rattle-trap monopoly while self-defusing any possibility of reprisal, and 3, 2, 1 inevitably will lead to greater profitability by emphasizing security in a related announcement.

It is just so hugely mind-bogglingly idiotic or evil you immediately censor yourself from pursuing it while gasping for oxygen. In summary, the country is shot because people love this wacky, profitable, bulletproof juggernaut that just comes back for more. It's the new America. It is how we got into the Iraq war. Never mind that I predicted a similar "wacky reason is invented so we can go clean up and get the oil" war about 5-10 years before it happened. It is really a problem, this megacorp supervulnerable smarmy I'm rubber you're glue, we are pals of the government which is why we can give absolutely brain exploding explanations and everybody has to shut up and eat it. Bruce come out and explain it to those dumb asses! Arrrggghhh!!

Secure systems (1)

fa2k (881632) | more than 2 years ago | (#40209545)

It has recently become obvious that spy agencies can get any keys/certificates they need. An obvious way to spread spy software would be to send a poisoned system update, or an update for Adobe, etc. In the end, we have to trust the people who provide software systems, or write everything from scratch (and possibly build the hardware). Is there a usable system that limits the extent to which software creators can take control? Would be nice if there was a system that wasn't constantly tied to an update repository, and the code was reviewed, yet it was still usable.

Today's Lesson (4, Insightful)

Adrian Lopez (2615) | more than 2 years ago | (#40209661)

So... what did we learn today?

1. Signed code is not safe code.
2. An insecure operating system that only runs signed code is still an insecure operating system.

Do the right thing, MS. (1)

detritus. (46421) | more than 2 years ago | (#40209889)

Cancel your support contracts with the federal government NOW.

New users only? (1)

infochuck (468115) | more than 2 years ago | (#40209959)

It's so strange that about the only posts one sees here anymore are from users with ID#s in the 40,xxx,xxx block.

Re:New users only? (1)

couchslug (175151) | more than 2 years ago | (#40210179)

Never trust anyone whose ID begins with a 4.

Re:New users only? (0)

Anonymous Coward | more than 2 years ago | (#40210475)

That is the post number. Look next to the username for the user id number.

Not buying what Microsoft is selling (2)

WaffleMonster (969671) | more than 2 years ago | (#40210199)

Why are there two certificates with the exact same label? It takes a special kind of idiot.

"Microsoft Enforced Licensing Intermediate PCA"

Why does a certificate valid from 2002 to 2010 matter in 2012.. oh yea thats right code signing certificates are based on the timestamp of the code and so when you compromise a signing cert 100 years from now and take that impossibly difficult extra step of forging a valid timestamp it will still be valid. All code signing certs should have an indefinate expiration because effectivly thats what they really are. Any other label is grossly misleading.

The security week and MS article talks about forging keys using what I assume are insecure for signature algorithms.. I assume they mean MD5..but hey look at this:

The signature algorithm for Microsoft Enforced Licensing Registration Authority CA (SHA1) is sha1 this is currently what EVERYONE is using. Was this cert also compromised in the same way? Why is it here?

would it be naive? (1)

Pirulo (621010) | more than 2 years ago | (#40210387)

1. - make bloated spy software virus for government
2. - sign it
3. - it's no longer a virus
4. - profit
5. - disclaimer will follow about stollen cert
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?