Linked by Thom Holwerda on Thu 27th Apr 2006 21:19 UTC
Windows Security features introduced in Windows Vista will make setting up PCs to boot in either Linux or Windows far more difficult, according to security guru Bruce Schneier. Vista is due to feature hardware-based encryption, called BitLocker Drive Encryption, which acts as a repository to protect sensitive data in the event of a PC being either lost or stolen. This encryption technology also has the effect of frustrating the exchange of data needed in a dual boot system.
Order by: Score:
It should be noted
by konfoo on Thu 27th Apr 2006 21:33 UTC
konfoo
Member since:
2006-01-02

that these drive/memory encryption technologies are also getting a big push from the music and movie industries. This is not about protecting your content from theft, but protecting industry content from you, the pirate *cough* valued consumer. In fact, some of the on-drive encryption systems in development are being done specifically to protect content. The benefit for you the consumer for securing your own data, is completely secondary. I for one don't like the direction that this is headed.

Reply Score: 5

RE: It should be noted
by Robocoastie on Fri 28th Apr 2006 03:09 UTC in reply to "It should be noted"
Robocoastie Member since:
2005-09-15

ahhh yet another reason for WinXP to have been the last MSFT product I ever purchased and be 100% Linux.

Reply Score: 1

I see
by Sphinx on Thu 27th Apr 2006 21:33 UTC
Sphinx
Member since:
2005-07-09

and this is a feature?

Reply Score: 4

RE: I see
by Babi Asu on Fri 28th Apr 2006 06:20 UTC in reply to "I see"
Babi Asu Member since:
2006-02-11

No, it's a bug ;)

Reply Score: 1

So turn it off.
by BrianH on Thu 27th Apr 2006 21:34 UTC
BrianH
Member since:
2005-07-06

NTFS drive encryption does the same thing. Just turn it off on a dual-boot machine.

Reply Score: 2

RE: So turn it off.
by de_wizze on Fri 28th Apr 2006 00:25 UTC in reply to "So turn it off."
de_wizze Member since:
2005-10-31

Does hardware mean anything to you ?

Reply Score: 1

RE[2]: So turn it off.
by BrianH on Fri 28th Apr 2006 01:15 UTC in reply to "RE: So turn it off."
BrianH Member since:
2005-07-06

Does optional to you? Just because it's implemented in hardware doesn't mean you have to enable it - it just means that encrypted data will be difficult to decrypt, though no more difficult than that encrypted by software using the same algorithm. Hardware usually just means faster. But if you don't enable the encryption, the data never gets encrypted in the first place, no problem.

Reply Score: 3

RE[3]: So turn it off.
by smitty_one_each on Fri 28th Apr 2006 10:53 UTC in reply to "RE[2]: So turn it off."
smitty_one_each Member since:
2005-07-07

I wouldn't say 'no problem'. You're placing a religious level of faith in a Redmond product. What of maintenance? What of a rootkit that tweaks that supposedly-sealed hardware encryption?
IT is best when it resembles a chess game more than a poker match. When it's poker, you become the pokee.

Reply Score: 1

double standards
by Thom_Holwerda on Thu 27th Apr 2006 21:36 UTC
Thom_Holwerda
Member since:
2005-06-29

You can probably turn it off, so who cares. Apple has FileVault which does the same, and I've never heard a single complaint about it.

Double standards, as usual. It's so hypocrit.

Reply Score: 5

RE: double standards
by archiesteel on Thu 27th Apr 2006 21:54 UTC in reply to "double standards"
archiesteel Member since:
2005-07-02

Double standards from whom? The article you linked to, or the posters? Double standards between what and what?

Thom, you should be careful not to sound too aggressive in your replies. Maybe it's the language barrier, but as an editor you should still display a certain amount of decorum.

That said, it's quite normal to have double standards towards Microsoft. Being a monopoly, they are already subjected to different laws and standards. If the IT industry was a level playing field, then double standards would be bad, but as it is, they're perfectly acceptable.

Edited 2006-04-27 21:57

Reply Score: 5

RE[2]: double standards
by JacobMunoz on Fri 28th Apr 2006 05:36 UTC in reply to "RE: double standards"
JacobMunoz Member since:
2006-03-17

Good call.

And aside from YellowDog Linux, NetBSD, and a very old BeOS, what few other OS's even bother with PowerPC Apples?

Apple has always been an exception (maybe not now with the IntelMacs). So few Apple users dual-boot (until the recent bootcamp, at least) that sharing partitions wasn't much of an issue.

The PC, on the other hand, by it's very nature - is generally built on open standards that promote interoperability. Until the recent Intel/Microsoft fiascos involving harware-based platform checking, PCs were meant to be multi-bootable. There's many different bootloaders, hard disk partitioning up-the-whazoo, and lots of little details that IBM built into the original PC design that make it ideal for many OSes. Apple, on the other hand, doesn't want ANY competition on their hardware (until bootcamp, of course) - and this is mostly the result of constant nagging for Windows compatability, not PC compatability.

Reply Score: 3

RE: double standards
by dusanyu on Thu 27th Apr 2006 23:54 UTC in reply to "double standards"
dusanyu Member since:
2006-01-21

FileVault is not enabled by default

and it could be agued that the Mac is not suposed to be "Open hardware" like PC clones are when one buys a Mac one has to play apple's way

Reply Score: 1

I don't get it...
by DrillSgt on Thu 27th Apr 2006 21:37 UTC
DrillSgt
Member since:
2005-12-02

How does this frustrate dual boot? The current implementation of mounting NTFS from Linux frustrates that already by corrupting data on the NTFS partition, making your Windows side unusable anyway. The safest way to dual boot is to not mount Windows partitions anyway.

Reply Score: 1

RE: I don't get it...
by l3v1 on Thu 27th Apr 2006 21:49 UTC in reply to "I don't get it..."
l3v1 Member since:
2005-07-06

I know where you should go today. Go educate yourself. There are people who dual/triple/... boot and still manage to use the data on other partitions, including ntfs. Writing is still picky and better not touched, I admit, still, there's absolutely no peril in using it to read and use the data on it. I have at least as much data on ntfs as on reiser and xfs, no problems whatsoever, it's just handy to have a partition which every os can handle for data transfer (i.e. fat32 or ext2).

Saying that "making your Windows side unusable anyway" is something that can fairly easily scare off quite a number of people.

Even if there's some truth in what you say, you should state your opinion by telling the whole truth not just the parts that fit you well, like most bad politicians do. Truth can be harder to bend when people are listening.

Reply Score: 5

RE[2]: I don't get it...
by DrillSgt on Thu 27th Apr 2006 22:27 UTC in reply to "RE: I don't get it..."
DrillSgt Member since:
2005-12-02

"Saying that "making your Windows side unusable anyway" is something that can fairly easily scare off quite a number of people."

Agreed, and maybe I should have put more detail into it. I triple boot myself, so I am educated on that. You are correct in there is no peril with reading your NTFS partitions. The problem I mentioned exists however as using Fedora Core 5 automatically mounts your NTFS RW, with no way to change it until AFTER the installation is complete and the damage is done, and alters permissions settings on windows files. That is what I was referring to. I don't bend the truth, I state what I can reproduce and is known to me to be the truth. In actuality people should be scared of it, as they need to know what CAN happen if they are not careful.

Reply Score: 1

RE[3]: I don't get it...
by Robocoastie on Fri 28th Apr 2006 03:13 UTC in reply to "RE[2]: I don't get it..."
Robocoastie Member since:
2005-09-15

I understand what you were getting at DrillSgt. dunno why others were confused about it. oh well.

Reply Score: 1

Security vs. Versatility
by Hands on Thu 27th Apr 2006 21:38 UTC
Hands
Member since:
2005-06-30

Bitlocker-type technologies have been around for a long time, and they will continue to evolve. I fail to see how this really affects dual-boot systems in such an adverse way though. If you need absolute security, it's unlikely that you're going to be dual-booting. In the event that you need to use multiple operating systems with lots of security, you're much more likely to be using virtualization and/or emulation to access the second OS. Too few people know enough to adequately lock down multiple host operating systems with satisfactory security results.

Those who want to use Linux with Windows in a dual-boot environment are generally better off using a file system that wasn't created by Microsoft anyway. Ext2/3 can easily be accessed by both Linux and Windows by adding a driver to Windows, and it's much better than FAT while giving reliable write access to both systems unlike NTFS on Linux.

Reply Score: 5

...
by Weeman on Thu 27th Apr 2006 21:47 UTC
Weeman
Member since:
2006-03-20

It's OP-TIO-NAL!

Reply Score: 1

No dual boot? No problem!
by Punktyras on Thu 27th Apr 2006 21:52 UTC
Punktyras
Member since:
2006-01-07

Ok, there will be no temptation to come back to Windows:)

Reply Score: 4

RE: No dual boot? No problem!
by Celerate on Thu 27th Apr 2006 23:05 UTC in reply to "No dual boot? No problem!"
Celerate Member since:
2005-06-29

My thought exactly, If Microsoft ever tries to force me to choose they'd better be ready to loose me altogether.

This could be optional as some have said, I haven't read the article, if it is the only place I really see this being used is on single-boot laptops.

Reply Score: 1

Seagate
by JackMayhoff on Thu 27th Apr 2006 21:59 UTC
JackMayhoff
Member since:
2006-04-27

Just use seagate full drive encryption on hardware without the OS knowing about it.

Reply Score: 3

FAT32
by TADavis on Thu 27th Apr 2006 22:18 UTC
TADavis
Member since:
2006-03-13

On this web site was an article saying a patent for FAT filesystem was in limbo. I removed FAT support from LoseThos as a result. Why does Linux get away with it? Do they have a license? I checked for licensing FAT with Microsoft and discovered they charge $0.26 just to format a Flash memory stick.

LoseThos has it's own filesystem and files are compressed, but not encrypted. I used to have encryption but decided if you don't make efforts in the entire operating system to support security, it's pointless and deceptive. For a secure system, for example, you need to wipe memory of stuff all over the place in case it might be secret, etc.

Reply Score: 1

RE: FAT32
by Ronald Vos on Thu 27th Apr 2006 23:32 UTC in reply to "FAT32"
Ronald Vos Member since:
2005-07-06

On this web site was an article saying a patent for FAT filesystem was in limbo. I removed FAT support from LoseThos as a result. Why does Linux get away with it?

Off-topic, but so be it: Linux gets away with it because the patent is still uncertain (rules been overturned 3 times now?) and Microsoft isn't actively persecuting anyone over it. I would like to see them try, but MS wouldn't want the PR nightmare anyway.

Reply Score: 1

Not news
by JCooper on Thu 27th Apr 2006 22:33 UTC
JCooper
Member since:
2005-07-06

There have always been incompatibilities between multi booting and drive encryption - it is by design with all products! Look at what Control Break offer with SafeBoot (and others, including PointSec), it's exactly the same technology... hard disc encryption done below the OS, at the lowest layer where providing a driver interface is possible.

This is not Microsoft Evil, this is just the solution as it is implemented today by 3rd party vendors.

We have 110,000 laptops and desktops already running disk encryption courtesy of SafeBoot. Being able to run that sort of low level data protection with the added bonus of Group Policy control and true OS integration etc will be a *positive* thing with Vista.

Edited 2006-04-27 22:36

Reply Score: 2

re: I don't get it...
by rtfa on Thu 27th Apr 2006 22:34 UTC
rtfa
Member since:
2006-02-27

"the current implementation of mounting NTFS from Linux frustrates that already by corrupting data on the NTFS partition"

What complete and utter cr*p, i do it all the time and I never have any corruption

Reply Score: 2

RE: re: I don't get it...
by DrillSgt on Thu 27th Apr 2006 23:29 UTC in reply to "re: I don't get it..."
DrillSgt Member since:
2005-12-02

As I said in another reply, it happens when you enable RW, which for some distros is automatic. It is not utter crap as it can be replicated consistently. Reading only is not a problem though. I just was not clear in my post, so for that I will take the beating.

Reply Score: 1

RE[2]: re: I don't get it...
by raver31 on Fri 28th Apr 2006 06:11 UTC in reply to "RE: re: I don't get it..."
raver31 Member since:
2005-07-06

You should try the "Edit" button now and again

Reply Score: 1

mounting ntfs in Linux
by ozonehole on Thu 27th Apr 2006 23:58 UTC
ozonehole
Member since:
2006-01-07

Most distros mount an ntfs partition read-only. This is perfectly safe. If you want read/write, you need ntfsmount:

http://wiki.linux-ntfs.org/doku.php?id=ntfsmount

It's also safe, though it doesn't full write access of every file. The article explains it pretty well.

Reply Score: 1

Well
by bullethead on Fri 28th Apr 2006 00:10 UTC
bullethead
Member since:
2005-07-10

Ever hear of owning two computers? One for linux testing, the other for Windows? There's this great invention called the KVM switch. Google it!

Reply Score: 1

RE: double standards
by Soulbender on Fri 28th Apr 2006 05:27 UTC
Soulbender
Member since:
2005-08-18

"You can probably turn it off, so who cares."
If noone cares why does it warrant being a news item?

"Apple has FileVault which does the same, and I've never heard a single complaint about it."

The keyword here is "hardware". Also, FileVault only encrypts your home folder.

From the Bitlocker overview:
"During the boot process, the key that unlocks the encrypted partition is released from the TPM.
The key is only released after operating system integrity has been established. This assures that no offline system tampering or attempts to boot another operating system have taken place."

Interesting, to say the least.
http://www.microsoft.com/technet/windowsvista/library/help/b7931dd8...

Reply Score: 3

Frustrating the exchange of data
by g__t on Fri 28th Apr 2006 06:32 UTC
g__t
Member since:
2006-01-04

Well, see it in the countewise direction.
I could also say that plain Windows cannot mount nearly any of fs supported by Linux (with most notable exceptions of FAT and FAT32), but that doesn't prevent me to use Windows and Linux on the same machine.
Switch the world "Windows" and "Linux" and you have the article.
Is system A requires (or give as option, or would run better with...) fsA and system B requires (or...) fsB, I'll plainly install A on fsA, B on fsB and go for a third filesystem fsC for the data.
BTW even using a single system it would be a very lame thing to do having a single partition for system, temp files and data (for plenty reasons), and since we are talking of multibooting, unless we are not talking of booting a live eval from CD, we should give credit to the user to be capable to repartitioning the disk(s).
I respect Schneier but I think this thing of BitLocker was a bit too much overstimated (or inflated by The Register?), a storm in a glass.

Reply Score: 1

Stupid comments
by Marcellus on Fri 28th Apr 2006 07:56 UTC
Marcellus
Member since:
2005-08-26

Interesting comments from Schneier, who is supposed to be a security expert.
I really hope those comments are only taken out of context and that he's not as stupid as these comments make him sound.

Reply Score: 1

RE: Stupid comments
by g__t on Fri 28th Apr 2006 10:13 UTC in reply to "Stupid comments"
g__t Member since:
2006-01-04

"Interesting comments from Schneier, who is supposed to be a security expert."
Schneier *is* a security expert and is one of the greatest contemporary cryptographer, maybe the greatest living cryptographer (and personally I strongly prefer his Twofish design over Rijndael and Serpent, however even if AES commission tought different Blowfish and Twofish works are enough for me to say he is a genious in this field).
However I don't see a mayor risk in BitLocker for multibooting, people who multiboot are accustomed to vendor and patent lockin (i.e. MS will not allow Windows to mount *x traditional filesystem nor disclose enough of NTFS to allow the contrary) and there are several reasons because all those things cannot and may not stop the users from multibooting.
And even in the worst imaginable scenario the user could boot from an external storage like a firewire or usb disk or even (on a desktop PC) form a traditional disk using a disk switching box. This second physical unit may come with installed Linux, BSD, Darwin, Zeta, etc... AFAIK some vendors indeed sell bootable usbdisk with preinstalled Linux, would be reasonable to think the whole IT industry will agree to disallow any booting device different from first disk, first partition (and this, with Vista hardcored on it)?
And moreover whith computing paradigm that is shifting toward virtualization (not needing access to actual hardware) a locked drive is less than an issue: if Vista can access the hardware, then the virtual machines running on it will access the hardware too trough virtualization, unless MS decide to frustrate Intel and AMD efforts toward bringing virtualization to desktop (worthy idea for plenty reasons) making Vista one of the few system not capable to support any third part virtualization software, that seem quite not probable to me.

Edited 2006-04-28 10:15

Reply Score: 1

RE[2]: Stupid comments
by Marcellus on Fri 28th Apr 2006 12:45 UTC in reply to "RE: Stupid comments"
Marcellus Member since:
2005-08-26

Schneier's "You could look at BitLocker as anti-Linux because it frustrates dual boot" is what I have issues with and like I wrote in my first post, I hope that's just taken out of context.

MS will not allow Windows to mount *x traditional filesystem
Really? I saw no such clause in the license to the file system sdk for Windows.

Reply Score: 1

RE[3]: Stupid comments
by sappyvcv on Fri 28th Apr 2006 13:25 UTC in reply to "RE[2]: Stupid comments"
sappyvcv Member since:
2005-07-06

You're right.

http://digg.com/linux_unix/Windows_Ext2_3_Filesystem_Driver

There are others out there too. I love when people talk about things they have no idea about ;)

Reply Score: 0

RE[4]: Stupid comments
by g__t on Fri 28th Apr 2006 16:05 UTC in reply to "RE[3]: Stupid comments"
g__t Member since:
2006-01-04

"You're right.
http://digg.com/linux_unix/Windows_Ext2_3_Filesystem_Driver "
It's not written from MS, it's not supported from MS, it's not bundled by MS into Windows, the implementation you linked lacks access rights (a major flaw), well, I must agree:
"I love when people talk about things they have no idea about ;) "

What I was saying is that multibooters aren't new to vendors (expecially MS) tecniques to make their lives hard, in this case MS doesn't provide nor gives support to means to work with Ext*, Reiser, JFS, XFS, etc... partitions.
I never said that doesn't exist and cannot exist means to do that, however those tools are written by third part developers and not supported or financed by MS, nor included on Windows distribution.
That means that MS really doesn't care if someone has hard life in working in dual boot with Windows and Linux (otherwise will develope those tools, or finance those developers, or offer support that tird part developers cannot afford, or include those free package in Windows as an optional utility, or...).
Indeed MS cares that things are as hard as they can, using dubious patent claims (in the case of FAT) to cast doubt on the future of the support of open source community to it, or doesn't disclose enough (on NTFS) to slow the development of an appropriate tool.
It's very different from the situation in *x world, were tools for working with a lot of fs (even MS's ones) exist and are actively supported by the community and usually come installed on the system (or easily selectable in the installation stage) so the Average Joe could "just" use them.

That's my point of view, multibooters are accustomed to some vendors (expecially MS) that likes to make things harder for them, this new thing is not different from previous MS politics, was not unexpected and definitely is not a big hit for MS agains multibooters (as I said, there is virtualization gaining importance, there are usb and fw bootable devices, even actually sold with Linux preinstalled, there are HD excanging boxes etc).
What I think is that the worlds of Schenier, that are right, were a bit inflated in the public fantasy and become a storm in a glass.

Edited 2006-04-28 16:06

Reply Score: 1

RE[5]: Stupid comments
by sappyvcv on Fri 28th Apr 2006 19:55 UTC in reply to "RE[4]: Stupid comments"
sappyvcv Member since:
2005-07-06

But they provide the SDK neccesary to write an interface to another file system. Do you really expect *them* to write drivers for ext3/etc? People would just bitch about "embrace, extend, extinguish".

I think what they offer is the best way.

With Linux, it's a community thing, so there are technically no "third party developers". So you can't really compare the two.

And by the way, in regards to:
"I never said that doesn't exist and cannot exist means to do that,"
you said:
" MS will not allow Windows to mount *x traditional filesystem"
Which was proven wrong.

Edited 2006-04-28 19:58

Reply Score: 1

RE[6]: Stupid comments
by g__t on Sat 29th Apr 2006 08:36 UTC in reply to "RE[5]: Stupid comments"
g__t Member since:
2006-01-04

"And by the way, in regards to:
"I never said that doesn't exist and cannot exist means to do that,"
you said:
" MS will not allow Windows to mount *x traditional filesystem"
Which was proven wrong."

Ok, now I got what are you saying and I must admit my thoughts were poorly written.
Whith "not allow" I would liked to stress the difference between Windows vendor and Linux vendors (community and vendors, that are corporate beings as well as MS, imho), while Linux vendors support that kind of tools (writing, distributing, embedding into the distros etc) MS doesn't support those kind of interactivity but rather try to boycott it as they can: legal issues on FAT, non disclosures about NTFS, they doesn't write nor distribute those drivers etc... read the "not allow" as the "don't want and try to do everything they can to avoid it" (I bet you guessed that I'm not an English native speaker before now...)
Probably (I would say certainly) they had to provide the SDK neccesary to write an interface to those fs and will always need to do so because of corporate users (and all we know how MS struggled to enter those high marginal profit market in last 10 years!), so I don't see anything strange that they will do everithing they can do, without risking to loose corporate market users, to continue the "embrace, extend, extinguish" strategy.

Reply Score: 1

RE[7]: Stupid comments
by sappyvcv on Sat 29th Apr 2006 13:53 UTC in reply to "RE[6]: Stupid comments"
sappyvcv Member since:
2005-07-06

You're not talking about the same thing here. You're talking about FAT and NTFS in this post.

But it's about writing drivers for OTHER file systems on Windows and MS DOES support that.

Reply Score: 1

Sector crypto
by JackMayhoff on Fri 28th Apr 2006 08:59 UTC
JackMayhoff
Member since:
2006-04-27

belongs on the controller, use your smartcard reader on your laptop along with Seagate FULL DISK ENCRYPTION 2.5" drives, software sector crypto performs up tp 40% less. Why bother with this software crap? You can always use CompuSec's http://www.ce-infosys.com.sg/CeiNews_FREECompuSec.asp for FREE is you really want a badly performing system. Its better to just bey a seagate FDE.

Reply Score: 1

and didn't I say???
by deathshadow on Fri 28th Apr 2006 17:06 UTC
deathshadow
Member since:
2005-07-12

>> Overexposure to messages will lead many consumers to ignore them and blindly agree to what applications are seeking to do, he added.

That like six months ago? Hell, it's how people react to ActiveX now!

Reply Score: 1