Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil
Windows After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Order by: Score:
So ...
by WorknMan on Wed 21st Sep 2011 22:34 UTC
WorknMan
Member since:
2005-11-13

What happens if you don't buy a computer from an OEM? Like, if you just buy the parts online and put it together yourself.

And for the record, I don't believe it is government's place to tell these companies that they shouldn't be allowed to lock down these devices. However, I also don't think they should be telling consumers that we're not allowed to jailbreak them either.

Reply Score: 3

RE: So ...
by nonoitall on Thu 22nd Sep 2011 01:57 UTC in reply to "So ..."
nonoitall Member since:
2011-09-22

@WorknMan: When's the last time you built your own laptop though?

Edited 2011-09-22 01:58 UTC

Reply Score: 6

RE[2]: So ...
by Soulbender on Thu 22nd Sep 2011 04:24 UTC in reply to "RE: So ..."
Soulbender Member since:
2005-08-18

Plenty of stores selling laptops without EOM Windows, at least around these parts.

Reply Score: 2

RE[2]: So ...
by nbensa on Thu 22nd Sep 2011 12:05 UTC in reply to "RE: So ..."
nbensa Member since:
2005-08-29

@WorknMan: When's the last time you built your own laptop though?


Six months ago. Where do you live?

Reply Score: 1

RE: So ...
by Neolander on Thu 22nd Sep 2011 07:04 UTC in reply to "So ..."
Neolander Member since:
2010-03-08

Putting parts together doesn't work well for laptops, which are slowly becoming dominant. Also, it would restrict alternatives OSs to a geeks-only market : no more installing a lightweight linux distro on a friend's old computer which cannot run windows anymore, or using old desktops as home servers...

Reply Score: 6

RE[2]: So ...
by foregam on Thu 22nd Sep 2011 11:23 UTC in reply to "RE: So ..."
foregam Member since:
2010-11-17

I agree, but what you say will be true in the (not so) distant future: time will pass before tomorrow's Windows 8 compliant PC becomes an old computer needing a lightweight distro.
On the bright side, there's a huge investment in old/'legacy' software which people will want to run, including non-8 versions of Windows. By 'people' I mean 'people with money' — businesses, banks, public administration, the military — the kind which matters to MS. There will be a switch. I bet MS doesn't want another huge antitrust lawsuit, either. They might get away with this crap on ARM but definitely not on x86/commodity ground.

Reply Score: 1

RE[3]: So ...
by WorknMan on Thu 22nd Sep 2011 16:59 UTC in reply to "RE[2]: So ..."
WorknMan Member since:
2005-11-13

Putting parts together doesn't work well for laptops, which are slowly becoming dominant


*sigh* My question was merely academic in nature. I asked what would happen if you built your own computer, and the answer I got was 'it doesn't matter for laptops', when I wasn't talking about laptops ;)

Reply Score: 3

RE[4]: So ...
by foregam on Thu 22nd Sep 2011 17:55 UTC in reply to "RE[3]: So ..."
foregam Member since:
2010-11-17

Ehm, I bet you meant to reply to Neolander, not me. Anyway, to answer your question: I can buy a locally assembled laptop at about 70% the price of e.g. its Dell equivalent. It won't be exactly DYI but for most parts there're long lists to choose from.

Reply Score: 1

RE[5]: So ...
by WorknMan on Thu 22nd Sep 2011 19:51 UTC in reply to "RE[4]: So ..."
WorknMan Member since:
2005-11-13

Anyway, to answer your question: I can buy a locally assembled laptop at about 70% the price of e.g. its Dell equivalent. It won't be exactly DYI but for most parts there're long lists to choose from.


That wasn't the question either, lol. The article says that MS would require OEMs to implement secure boot, but what I asked is what happens if you build your own PC and there technically is no OEM? In that case, who does the signature for the secure booting?

Reply Score: 2

RE[6]: So ...
by foregam on Thu 22nd Sep 2011 20:19 UTC in reply to "RE[5]: So ..."
foregam Member since:
2010-11-17

My guess is the motherboard manufacturer. In any case a DYI PC isn't a candidate for a 'Windows 8 Certified' sticker.

Reply Score: 2

RE[7]: So ...
by l3v1 on Fri 23rd Sep 2011 05:24 UTC in reply to "RE[6]: So ..."
l3v1 Member since:
2005-07-06

My guess is the motherboard manufacturer. In any case a DYI PC isn't a candidate for a 'Windows 8 Certified' sticker.


The question is, if you want to build it (we've built and use workstations and servers here - as many others do at very many places - that serve us way more than any pre-built one), would you be able to find highend motherboards with bioses that lets you do what you want.

Reply Score: 2

To MS and Apple we are all frogs in a pan
by kragil on Wed 21st Sep 2011 22:41 UTC
kragil
Member since:
2006-01-04

They will turn the temperature up just a little with every new product they release.
They learned from the trusted computing backlash.
At first there will be an option to turn off secure boot. It will only make booting other OSes annoying, because you need to enable and disable it for stock Windows 8 every time. But with Windows 9 in three years it will be mandatory that this option is removed.
Mandatory TPMs(sans user control) are next.
Treacherous computing was just a decade too early.

Reply Score: 13

v Comment by ronaldst
by ronaldst on Wed 21st Sep 2011 23:03 UTC
RE: Comment by ronaldst
by lemur2 on Wed 21st Sep 2011 23:33 UTC in reply to "Comment by ronaldst"
lemur2 Member since:
2007-02-17

"I have a hard time believing the combined power of Apple and Microsoft - both strong supporters of these kinds of anti-user features" Can't tell if trolling... Anti-user? That doesn't even compute.


"Anti-user" is any feature that is part of a product that is there only because it benefits the vendor, not the user.

http://en.wikipedia.org/wiki/Damaged_good

"In economics, a damaged good (sometimes termed "crippleware" or product with "anti-features") is a good that has been deliberately limited in performance, quality or utility, typically for marketing reasons as part of a strategy of product differentiation."

Microsoft's "Geuniune Advantage" euphamism is an absolute classic example. This did absolutely nothing for users except lock some of them out and require some people to purchase new copies of software they had already bought.

Here is another example of a different flavour:
http://www.osnews.com/comments/25175

Microsoft's "Windows 7 Starter" is a similar (although not as drastic) example where Microsoft take a reasonable OS and then go out of their way to cripple it. It actually costs Microsoft more to produce such a version which has the express aim to give users less functionality.

Anti-user. QED.

Edited 2011-09-21 23:39 UTC

Reply Score: 12

RE[2]: Comment by ronaldst
by Brendan on Thu 22nd Sep 2011 02:29 UTC in reply to "RE: Comment by ronaldst"
Brendan Member since:
2005-11-16

Hi,

Anti-user. QED.


Whether or not it's anti-user depends on who has the keys.

If the owner of the computer (e.g. the end-user) has full control over which keys are installed, then it's a "pro-user" feature as it allows them to run any OS they like while also making it hard for things like boot-time rootkits and viruses; and may possibly even help to prevent theft (e.g. if your laptop gets stolen, then maybe nobody will be able to access your data without your password; even if they attempt to replace the OS). This is the best case scenario - a scenario where (for e.g.) Linux could also use secure boot to benefit the end user.

If the owner of the computer (e.g. the end-user) doesn't have any control over which OSs are allowed and which aren't, then it's anti-user (and I'll be boycotting and recommending everyone else does too).

It's worth pointing out that "UEFI Secure Boot" could be used either way - to benefit the owner/user, or in spite of the owner/user. I'm hoping it will be used in a good way (e.g. to avoid the need for a layer of "DeepSAFE" McAfee bloat) and not in a bad way.

- Brendan

Reply Score: 6

RE[3]: Comment by ronaldst
by lemur2 on Thu 22nd Sep 2011 03:11 UTC in reply to "RE[2]: Comment by ronaldst"
lemur2 Member since:
2007-02-17

Hi, "Anti-user. QED.
Whether or not it's anti-user depends on who has the keys. If the owner of the computer (e.g. the end-user) has full control over which keys are installed, then it's a "pro-user" feature as it allows them to run any OS they like while also making it hard for things like boot-time rootkits and viruses; and may possibly even help to prevent theft (e.g. if your laptop gets stolen, then maybe nobody will be able to access your data without your password; even if they attempt to replace the OS). This is the best case scenario - a scenario where (for e.g.) Linux could also use secure boot to benefit the end user. If the owner of the computer (e.g. the end-user) doesn't have any control over which OSs are allowed and which aren't, then it's anti-user (and I'll be boycotting and recommending everyone else does too). It's worth pointing out that "UEFI Secure Boot" could be used either way - to benefit the owner/user, or in spite of the owner/user. I'm hoping it will be used in a good way (e.g. to avoid the need for a layer of "DeepSAFE" McAfee bloat) and not in a bad way. - Brendan "

My post made no claim if UEFI Secure Boot was or was not an "anti-user" feature.

The author of the lead article, kragil, introduced the term "anti-user" with these paragraphs:

"For now, it's hard to tell if this secure boot thing will be an option we can turn off, or if OEMs will - like they do with BIOS features all the damn time - disable the option of turning it off. In any case, I must say that I'm very, very worried that the horrible, anti-user situation of smartphones will permeate into the world of desktop and laptop computers.

The problem here is that governments the world over will be filled with glee over the fact that we would no longer be able to run the software of our choosing - at least, not easily. This means more control, something the, for instance, entertainment industry will love to death. I mean, someone has to think of the children.

I have a hard time believing the combined power of Apple and Microsoft - both strong supporters of these kinds of anti-user features - will not be able to convince and buy governments the world over into not doing anything about this.

It would appear that despite his extremist views over the years, Richard Stallman is more and more starting to look like a true visionary. The fact that he had the foresight to think about hypothetical issues like this decades ago is pretty remarkable."


My post was intended only to explain what was meant by the term "anti-user". It is not a term that "does not compute".

FWIW, I think the original article was actually a pretty decent clue as to what was meant by the term, and what was wrong (from a user's perspective) with UEFI secure boot, but there you go.

BTW, the whole concept of UEFI secure boot is defeated if ordinary users have keys. If ordinary users have keys, rootkit authors will have keys also.

http://www.osnews.com/permalink?490295

Edited 2011-09-22 03:18 UTC

Reply Score: 3

RE[3]: Comment by ronaldst
by Alfman on Thu 22nd Sep 2011 04:53 UTC in reply to "RE[2]: Comment by ronaldst"
Alfman Member since:
2011-01-28

Brenden,

"Whether or not it's anti-user depends on who has the keys."

Precisely.

Some people here are assuming that the keys must be hard coded into the bios such that only operating systems approved by the vendors can be run. I really don't know if that is the intentions of UEFI secure boot or not...if it is, well users are screwed. Not only won't we have control, but now the security of our own computers becomes dependent upon third parties who control the master keys.

Ideally this feature should be designed to work for users rather than against us. All keys could be manageable through the bios on powerup, and then remain locked after boot so they cannot be tampered with later on. Then we could use our own individual/corporate key to sign the keys of whichever OS vendors we want to trust on our computers or lans.

Of course, for normal users, this would all be setup at the factory...but at least the control over which operating systems are allowed to run lies with us as users rather than the manufacturer or microsoft.


Also there is another risk, that even if users can manage their own keys, a powerful vendor might coerce users to delete keys of it's competitors in order to load itself. Therefor I'd hope that this feature is designed in such a way that the list of approved keys can be kept secret from discriminatory operating systems.

Reply Score: 5

RE[4]: Comment by ronaldst
by lemur2 on Thu 22nd Sep 2011 05:53 UTC in reply to "RE[3]: Comment by ronaldst"
lemur2 Member since:
2007-02-17

Brenden, "Whether or not it's anti-user depends on who has the keys." Precisely. Some people here are assuming that the keys must be hard coded into the bios such that only operating systems approved by the vendors can be run. I really don't know if that is the intentions of UEFI secure boot or not...if it is, well users are screwed. Not only won't we have control, but now the security of our own computers becomes dependent upon third parties who control the master keys. Ideally this feature should be designed to work for users rather than against us. All keys could be manageable through the bios on powerup, and then remain locked after boot so they cannot be tampered with later on. Then we could use our own individual/corporate key to sign the keys of whichever OS vendors we want to trust on our computers or lans. Of course, for normal users, this would all be setup at the factory...but at least the control over which operating systems are allowed to run lies with us as users rather than the manufacturer or microsoft. Also there is another risk, that even if users can manage their own keys, a powerful vendor might coerce users to delete keys of it's competitors in order to load itself. Therefor I'd hope that this feature is designed in such a way that the list of approved keys can be kept secret from discriminatory operating systems.


According to Red Hat's Matthew Garret, the keys are stored as part of the system firmware.

http://mjg59.dreamwidth.org/5552.html

"if we self-sign, it's still necessary to get our keys included by every OEM."

This says that user's don't have the ability to say what OSes they wish to boot, but rather the OEMs determine which vendor's OS the hardware can boot by including the OS vendor's key in the system firmware.

If OEM's historical record of lack of supporting Linux via ACPI is any indication, this isn't going to happen. Linux simply won't be bootable by any hardware with UEFI Secure boot enabled.

Edited 2011-09-22 05:59 UTC

Reply Score: 3

RE[5]: Comment by ronaldst
by Alfman on Thu 22nd Sep 2011 06:16 UTC in reply to "RE[4]: Comment by ronaldst"
Alfman Member since:
2011-01-28

lemur2,

"According to Red Hat's Matthew Garret, the keys are stored as part of the system firmware."

I am really afraid that you and he may be right. The feature may be deliberately designed to work against the owner.

In theory, a bootloader that loads linux directly or can chainload into grub will probably be signed (although not necessarily the version you want). It's asinine that linux would have to boot through proprietary/locked software.


http://www.techpowerup.com/152439/Windows-8-Secure-Boot-Designed-to...

"The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate."

Edit: it's not just linux either, all BSDs and other independent platforms would be at a loss too. There is no way independent OS developers will be able to get their keys signed by all the manufacturers.

Edited 2011-09-22 06:24 UTC

Reply Score: 6

RE[5]: Comment by ronaldst
by Brendan on Thu 22nd Sep 2011 16:29 UTC in reply to "RE[4]: Comment by ronaldst"
Brendan Member since:
2005-11-16

Hi,

First, UEFI is unlike a normal BIOS in that you can have "UEFI applications" (e.g. various tools and utilities); and the "Secure Boot" stuff applies to *ALL* executables, including UEFI drivers, UEFI applications and UEFI boot loaders. This means that the firmware can have a utility that allows the user to manage keys, and the firmware may be supplied with one key for that utility (and any keys needed for supplied device drivers) and nothing else. In that case the end-user would need to add keys for Windows8 (if the OEM didn't already do it) and/or anything else they want to allow (or disallow).

Secondly, there's a blacklist. If the firmware refused to execute anything that isn't in it's whitelist, then there'd be no point having a blacklist. It's possible that if the executable is in the whitelist then it's allowed to execute, if the executable is in the blacklist it's refused, and if the executable is not on either list the firmware pops up a (password protected?) "Unknown executable, allow/disallow?" prompt.

Third, there's no central authority for keys. This means that anyone can use any key, and build scripts for open source boot loaders (e.g. GRUB2, elilo) could just generate a certificate using a randomly generated key. The end user would need to add the key to their whitelist; either manually (via. some utility) or semi-automatically (if there's some sort of "allow/disallow" prompt). It's not like you have to pay a company like DigiNotor for each public key, and not like open source boot loaders would be forced to have a specific key (and forced to do something to prevent root-kit authors from finding out what their key is).

Basically all I'm saying is that nobody knows how it's going to implemented by firmware authors and/or OEMs; and therefore it's too early to determine if it's a good thing or a bad thing.

I still hope it's going to be a good thing, and that open source boot loaders (and open source OSs) will be able to use it to protect users from malicious code.

Of course I'm sceptical too; and not just because UEFI Secure Boot could be implemented badly by firmware authors and OEMs. There's an unfortunate tendency in certain open source projects (e.g. GRUB) to assume that anything intended to improve security (TPM, drive encryption, etc) is inherently "evil"; and based on these incorrect assumptions the projects deny the end user the ability (dare I say "deny the freedom") to choose to use something that improves their own security if they want to.

- Brendan

Reply Score: 4

RE[5]: Comment by ronaldst
by l3v1 on Fri 23rd Sep 2011 05:28 UTC in reply to "RE[4]: Comment by ronaldst"
l3v1 Member since:
2005-07-06

According to Red Hat's Matthew Garret, the keys are stored as part of the system firmware.


Well then, linux pros will become firmware-hacking pros as well. What man has put together, man can pull apart.

Reply Score: 2

RE[3]: Comment by ronaldst
by amadensor on Thu 22nd Sep 2011 19:05 UTC in reply to "RE[2]: Comment by ronaldst"
amadensor Member since:
2006-04-10

Solution: Create a non-free, open source signed bootable CD whose only function is to insert new keys into the UEFI. That one CD can be signed, and each machine owner can generate their own private key (easily automated) and as part of the install process, the software is signed with the key specific to that person, no keys public to leak, and yet everyone has the keys needed to modify the hardware and hopefully this can comply with GPL3.

Install goes like this:

1: Run special key maker CD, which inserts the key into the chip and puts it on a flash drive.

2: Run the installer which grabs the key from the flash drive and signs the install.

3: Pull out the USB drive so that malware can't grab it.

When you want to tweak the boot loader, or install something that needs to be signed, you plug in the flash drive just during that install's signing process. Physical security to reduce the window of opportunity for malware to get your key.

Reply Score: 1

RE: Comment by ronaldst
by Tony Swash on Thu 22nd Sep 2011 10:30 UTC in reply to "Comment by ronaldst"
Tony Swash Member since:
2009-08-22

"I have a hard time believing the combined power of Apple and Microsoft - both strong supporters of these kinds of anti-user features"

Can't tell if trolling... Anti-user? That doesn't even compute.


I think what is meant is 'anti-a users just like me'.

I don't know much or care much about UEFI secure boot in Windows 8 and clearly it's possible to facilitate the installation of alternative operating systems via UEFI as Apple did with the Mac but 'anti-user'?

It's worth remembering that 99% of users want stuff that works out of the box, they don't want to be system integrators, they don't want to tinker, they don't want to figure out how everything works. They just want computers that work, that don't fuck up and that let them get on and do stuff.

It's like cars. Most normal people want cars so they can drive about and do stuff, stuff not to do with cars but normal stuff. A very small minority of people actually like to tinker with cars, they don't want cars just to drive about, they want to play around with their inner workings. So if a car company came out with a new car and said 'our new design is proved to be 10 times more reliable than current car designs but it involves sealing the engine compartment so you cannot get at the engine with seeing a professional mechanic' consumers would lap it up. And they would be right to lap it up as it would meet their needs better.

Consumers that want computers and devices to just work and don't want to tinker with them are not stupid, they are clever. They are clever because they have correctly identified their needs and correctly identified what they are not interested in. Who needs to know how a phone works to want to gossip on the phone or make the next world changing deal on a phone? The requirement to know how a technology works in order to use it is a sign of an immature technology. Progress means taking away that work overhead so you can use technology to just do all the other stuff that makes up human culture.

Reply Score: 1

RE[2]: Comment by ronaldst
by Alfman on Thu 22nd Sep 2011 10:39 UTC in reply to "RE: Comment by ronaldst"
Alfman Member since:
2011-01-28

Tony Swash,

"I don't know much or care much about UEFI secure boot in Windows 8 and clearly it's possible to facilitate the installation of alternative operating systems via UEFI as Apple did with the Mac but 'anti-user'?

It's worth remembering that 99% of users want stuff that works out of the box, they don't want to be system integrators..."

I think we all get this. But the question is why was it engineered to take power away from the owners? This is not a necessary element of secure boot. Even if 99% of users never need to touch it, why prohibit them from doing so if they want to use it with their own code? That's the problem that we/I have.

Reply Score: 6

RE[3]: Comment by ronaldst
by Thom_Holwerda on Thu 22nd Sep 2011 11:12 UTC in reply to "RE[2]: Comment by ronaldst"
Thom_Holwerda Member since:
2005-06-29

I think we all get this. But the question is why was it engineered to take power away from the owners? This is not a necessary element of secure boot. Even if 99% of users never need to touch it, why prohibit them from doing so if they want to use it with their own code? That's the problem that we/I have.


The problem is that Apple fanatics tend to be blind to issues beyond the needs of Apple users. The kind of control we hand over to private entities we have ZERO control over, entities which have very close ties to what I consider to be an immoral, inhumane, and barbaric regime (the US one, no matter the party or president in power) is something I do not find particularly comforting.

Not that it WILL affect me in any way, but the POSSIBILITY should make any true democrat [the ideology, not the party] nervous.

Reply Score: 5

RE[4]: Comment by ronaldst
by vitae on Thu 22nd Sep 2011 21:18 UTC in reply to "RE[3]: Comment by ronaldst"
vitae Member since:
2006-02-20

immoral, inhumane, and barbaric regime (the US one, no matter the party or president in power)


Okay, I have a question, if this can be done in a civilized manner. I've no problem with people calling us Americans barbarians and such. It's true, we took this land forcibly from the Native Americans and built it up with slavery, exploiting Chinese workers so and so forth.

What I don't understand is why these lectures come so often from Europeans, when everything we learned about violence and oppression, we learned from them. Millenia of wars, colonialism and brutality towards each other and people across the planet seems to have been forgotten rather quickly.

Reply Score: 2

RE[5]: Comment by ronaldst
by Thom_Holwerda on Thu 22nd Sep 2011 21:52 UTC in reply to "RE[4]: Comment by ronaldst"
Thom_Holwerda Member since:
2005-06-29

Okay, I have a question, if this can be done in a civilized manner. I've no problem with people calling us Americans barbarians and such. It's true, we took this land forcibly from the Native Americans and built it up with slavery, exploiting Chinese workers so and so forth.


That's not what I'm referring to.

What I don't understand is why these lectures come so often from Europeans, when everything we learned about violence and oppression, we learned from them. Millenia of wars, colonialism and brutality towards each other and people across the planet seems to have been forgotten rather quickly.


Oh you won't hear me excuse the Dutch past. We were the worst slave traders, we've done terrible things to the people of Indonesia back when it was our colony, and so on. However, that's not what I'm referring to.

I'm referring to the intense poverty in the US nobody seems to give a shit about as long as the rich few can remain rich. I'm referring to the death penalty. I'm referring to the insanely high homicide, drug abuse, and crime rates. I'm referring to the offensive wars in Iraq and Afghanistan, which lead to the deaths of hundreds of thousands of people.

Let that sink in for a while: your government caused the deaths of hundreds of thousands of people. Not 500 years ago, not 100 years ago, not even 60 years ago - but right now. Pointing to the insane things the Dutch have done up until we finally became civilised does not negate this.

Then there's Guantanamo Bay, widespread disregard for civil and constitutional rights, utterly corrupt Congress and administration... The list goes on.

I have absolutely zero issues with Americans as a people - quite the opposite in fact. Every American I've ever met - no exceptions - has been nothing but kind and awesome. In fact, I'd rather hang out with the average American than with the average Dutchman. Without a doubt.

Reply Score: 4

RE[5]: Comment by ronaldst
by l3v1 on Fri 23rd Sep 2011 05:35 UTC in reply to "RE[4]: Comment by ronaldst"
l3v1 Member since:
2005-07-06

Okay, I have a question, if this can be done in a civilized manner


Funny how this (let's be civilized now) pops up when criticism towards the lands over the big water happen to arise. Criticism is a two way street, and somebody at one end has made plenty of criticism towards everyone and dog, getting some in return shouldn't feel overly uncivilized.

Reply Score: 2

RE[6]: Comment by ronaldst
by vitae on Fri 23rd Sep 2011 21:06 UTC in reply to "RE[5]: Comment by ronaldst"
vitae Member since:
2006-02-20

You think we've criticized the Europeans more than they criticize us?

Reply Score: 2

RE[3]: Comment by ronaldst
by Tony Swash on Thu 22nd Sep 2011 18:44 UTC in reply to "RE[2]: Comment by ronaldst"
Tony Swash Member since:
2009-08-22

I think we all get this. But the question is why was it engineered to take power away from the owners? This is not a necessary element of secure boot. Even if 99% of users never need to touch it, why prohibit them from doing so if they want to use it with their own code? That's the problem that we/I have.



Personally I think it's because Microsoft has always had a monopolistic business model, since they achieved a monopoly position in relation to Windows and Office everything they have done has been about defending and extending that monopoly. It's what has made them so bad at innovating. Microsoft knows, deep down inside, that if it's core products had to compete on a level playing field against just as viable alternatives that they would fail.

Reply Score: 1

RE[2]: Comment by ronaldst
by JAlexoid on Thu 22nd Sep 2011 11:45 UTC in reply to "RE: Comment by ronaldst"
JAlexoid Member since:
2009-05-19

It's like cars. Most normal people want cars so they can drive about and do stuff, stuff not to do with cars but normal stuff. A very small minority of people actually like to tinker with cars, they don't want cars just to drive about, they want to play around with their inner workings. So if a car company came out with a new car and said 'our new design is proved to be 10 times more reliable than current car designs but it involves sealing the engine compartment so you cannot get at the engine with seeing a professional mechanic' consumers would lap it up. And they would be right to lap it up as it would meet their needs better.


Consumers actually tend to stay further away from cars that can't be serviced at a low enough cost after their warranty expires. And the majority of the world's population does not drive a new car(3 or less y/o).
People are very well aware of maintenance issues...

If the car manufacturer came out and said: "We will not allow access to the engine, but you get a 20 year warranty on the car"; then consumers would snatch it.

Computer maintenance is less of a normal thing, like changing worn out belts in a car, but still...

Reply Score: 5

RE[3]: Comment by ronaldst
by jack_perry on Thu 22nd Sep 2011 15:44 UTC in reply to "RE[2]: Comment by ronaldst"
jack_perry Member since:
2005-07-06

Actually, we have the situation he describes now: manufacturers have for more than a decade now been manufacturing cars where it is very hard, if not impossible, for an ordinary consumer to change the oil: the filter is out of reach; "protective covers" have been screwed onto the bottoms of cars, etc. And never mind the use of computers within cars, that make it impossible to hand-tune the way people used to.

Yet people don't avoid these cars: they buy them, then take them to mechanics, and pay the fees gladly, in no small part because they're more reliable: today's cars last a *lot* longer than cars of a half-century ago. Whether they're more reliable because it's impossible for Jim Bob to change his own oil is not clear to me, but they guy has a point.

Reply Score: 2

RE[4]: Comment by ronaldst
by JAlexoid on Sat 24th Sep 2011 22:24 UTC in reply to "RE[3]: Comment by ronaldst"
JAlexoid Member since:
2009-05-19

What you said, I implied. But it's not about the things being further away, it's about having to go to an "authorized service". Have you seen the prices these thieves charge?
Most people don't service their cars, but they do appreciate the ability to bring it to a service that is cheaper and, probably, geographically closer. Even the ECU can be tuned by an unauthorized technician*.

With these encryption and signature schemes, there is no

* - I know first hand, since I made a lot of software and hardware to get the actual access to the parameters of different ECU and other automotive electronics.

Reply Score: 2

The more things change
by TADS on Wed 21st Sep 2011 23:19 UTC
TADS
Member since:
2010-11-01

Say what you will about RMS and label him as an extremist all you want, but the man has consistently been proven right over the years. "The Right to Read" (Kindle, e-books, DRM, remote book deletions), GPLv3 and software patents being the next big battleground (witness the current mobile patent wars), treacherous computing (current crop of smartphones, Apple and now apprently Microsoft), and these are just off the top of my head.

This new move of Microsoft shouldn't really be all that surprising though, they've been trying to push this sort of architecture for years. In the past it's been known as Palladium, which then morphed into the Next Generation Secure Computing Base when the former name accrued too much bad press, and now we have this, which as far as I can tell has no name at all (always learning, Microsoft...)

Yep, just keep on rewarding these companies with your money, I'm sure nothing bad will happen.

Reply Score: 27

Comment by OSbunny
by OSbunny on Thu 22nd Sep 2011 00:35 UTC
OSbunny
Member since:
2009-05-23

If you want to hide malicious code you can do it in open source as well. There was that news a few months ago about openbsd having malicious code. Don't know whether it was true or not but the possibility remains.

Anyway I don't see MS succeeding in forcing motherboard manufacturers to disallow Linux installation.

Reply Score: 1

RE: Comment by OSbunny
by lemur2 on Thu 22nd Sep 2011 01:33 UTC in reply to "Comment by OSbunny"
lemur2 Member since:
2007-02-17

If you want to hide malicious code you can do it in open source as well. There was that news a few months ago about openbsd having malicious code. Don't know whether it was true or not but the possibility remains.


Quote please. AFAIK the track record is that malware has never been distributed to users via open source repositories. The only way it happens is to distribute modified code binary-only executables to Windows users.

Actually, you can't hide malware in the source code of open source software which is developed in collaboration by a number of independent programmers. The more people involved, the more impossible it becomes. If you want to inject malware, it has to be done AFTER taking the source code from the development project but BEFORE distributing binaries to end users, this is the only remotely possible point of injection. Even then, if the users can get the source and also the bianries and they can compile the source for themselves and check it, then even that possible point of injection is no longer possible.

Anyway I don't see MS succeeding in forcing motherboard manufacturers to disallow Linux installation.


The UEFI specification is not actually from Microsoft. Microsoft are simply saying that UEFI secure boot is required if an OEM wishes to put a "Designed for Windows 8" sticker on their hardware.

Arguably, if something is indeed "Designed for Windows 8", it is reasonable to expect that it can't run anything but Windows 8.

For myself, I put together my own desktop machines. I typically buy an "upgrade" package which includes a motherboard, CPU, RAM and box. I add a blank hard disk drive, optical drive and graphics card, plug it all together, insert a Linux LiveCD into the optical drive, and away I go. Doing this has been quite a bit less expensive for me than buying store-bought machines of equivalent performance anyway. The problem here is that the days of such machines are arguably numbered.

It shouldn't be a problem because the market is about to be flooded with a plethora of reasonable ARM tablets designed to run Android. E.g:

http://www.osnews.com/comments/25176

If you want to have a Linux desktop machine one of those can easily be adapted, just add a USB keyboard and mouse, HDMI monitor and USB external storage (or use a NAS device).

Edited 2011-09-22 01:40 UTC

Reply Score: 0

RE[2]: Comment by OSbunny
by Lennie on Thu 22nd Sep 2011 09:10 UTC in reply to "RE: Comment by OSbunny"
Lennie Member since:
2007-09-22

Actually it is possible to include something in an open source project, but you'll have to also modify the compiler and probably wait a few years to:

Thompson's paper described a modified version of the Unix C compiler that would:

Put an invisible backdoor in the Unix login command when it noticed that the login program was being compiled, and as a twist
Also add this feature undetectably to future compiler versions upon their compilation as well.

http://en.wikipedia.org/wiki/Backdoor_%28computing%29

It is not very likely, but it possible

Reply Score: 4

RE[3]: Comment by OSbunny
by lemur2 on Thu 22nd Sep 2011 09:53 UTC in reply to "RE[2]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

Actually it is possible to include something in an open source project, but you'll have to also modify the compiler and probably wait a few years to:

Thompson's paper described a modified version of the Unix C compiler that would:

Put an invisible backdoor in the Unix login command when it noticed that the login program was being compiled, and as a twist
Also add this feature undetectably to future compiler versions upon their compilation as well.

http://en.wikipedia.org/wiki/Backdoor_%28computing%29

It is not very likely, but it possible


That was only possible because the Unix C compiler itself was not open source.

I repeat, it is not possible to put malware into a product using an open source development process.

BTW, Linux is not Unix. BSD is Unix, but Linux isn't.

Edited 2011-09-22 09:54 UTC

Reply Score: 2

RE[4]: Comment by OSbunny
by Lennie on Thu 22nd Sep 2011 10:02 UTC in reply to "RE[3]: Comment by OSbunny"
Lennie Member since:
2007-09-22

You say "it is not possible" to add such a thing to an open source project.

That would be a bit naive.

It is like saying: it is not possible to be struck by lightning.

It is possible, just not very likely.

Reply Score: 2

RE[5]: Comment by OSbunny
by lemur2 on Thu 22nd Sep 2011 10:09 UTC in reply to "RE[4]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

You say "it is not possible" to add such a thing to an open source project.

That would be a bit naive.

It is like saying: it is not possible to be struck by lightning.

It is possible, just not very likely.


An "open source project" typically has dozens, sometimes hundreds, of independent developers, in countries all over the world, pouring over the code.

Useful malware would take many hundreds or thousands of lines of source code.

How exactly would you propose that a malicious individual hides hundreds or thousands of lines of code in plain sight as a submission to an open source project being worked on by dozens of others?

It is just not credible that this could happen.

More to the point, in over a decade of open source software development over thousands and thousands of projects, it never has happened.

The proof, as they say, is in the pudding.

Reply Score: 2

RE[6]: Comment by OSbunny
by Lennie on Thu 22nd Sep 2011 10:55 UTC in reply to "RE[5]: Comment by OSbunny"
Lennie Member since:
2007-09-22

I have to admit, I don't remember it ever happening.

Most attempts have tried to abuse the version control system. With the current popularity of git (which has checks in place) that route is going to be a less likely in the future.

Reply Score: 2

RE[7]: Comment by OSbunny
by lemur2 on Thu 22nd Sep 2011 11:02 UTC in reply to "RE[6]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

I have to admit, I don't remember it ever happening.

Most attempts have tried to abuse the version control system. With the current popularity of git (which has checks in place) that route is going to be a less likely in the future.


I don't recall any attempt to corrupt the version control.

There have been a number of occasions when open source development servers have been hacked. Someone has guessed a password.

AFAIK, no-one has ever managed to get malicious code into the source codebase, even after they have managed to hack into the development server. Such an attempt to inject code would stand out like nobodies business.

It is just too hard to try to hide malicious source code in an open source project.

Such a thing has never been done. Not even close.

Reply Score: 2

RE[4]: Comment by OSbunny
by Alfman on Thu 22nd Sep 2011 10:22 UTC in reply to "RE[3]: Comment by OSbunny"
Alfman Member since:
2011-01-28

lemur2,

"I repeat, it is not possible to put malware into a product using an open source development process."

I really don't want to make a fuss here, but this is the kind of overstated claim that does not take into account all of the possibilities. Could you use less absolute terminology, or at least more qualifiers?

Reply Score: 7

RE[5]: Comment by OSbunny
by lemur2 on Thu 22nd Sep 2011 10:30 UTC in reply to "RE[4]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

lemur2,

"I repeat, it is not possible to put malware into a product using an open source development process."

I really don't want to make a fuss here, but this is the kind of overstated claim that does not take into account all of the possibilities. Could you use less absolute terminology, or at least more qualifiers?


I absolutely think you need to come up with some way that it would be possible, or even remotely feasible, before you start having a "holier than thou" go at someone else.

The whole point of open source is that it is a collaboration, a meritocracy. Lots of solutions are proposed and tried, and the best solution, as agreed by consensus amongst the community of developers, is adopted.

You come along and make an absolutely outrageous claim that this process can be corrupted by malware, in plain sight of everyone. You make this claim despite the fact that amongst thousands of open source projects across many years, it never has happened.

Then somehow you think I am the one who should pull my head in?

Unbelievable! Unmitigated gall. Utter balderdash.

Edited 2011-09-22 10:31 UTC

Reply Score: 0

RE[6]: Comment by OSbunny
by Alfman on Thu 22nd Sep 2011 10:31 UTC in reply to "RE[5]: Comment by OSbunny"
Alfman Member since:
2011-01-28

lemur2,

"I absolutely think you need to come up with some way that it would be possible, or even remotely feasible, before you start having a 'holier than thou' go at someone else.

The whole point of open source is that it is a collaboration, a meritocracy. Lots of solutions are proposed and tried, and the best solution, as agreed by consensus amongst the community of developers, is adopted.

You come along and make an absolutely outrageous claim that this process can be corrupted by malware, in plain sight of everyone.

Then somehow you think I am the one who should pull my head in?

Unbelievable! Unmitigated gall. Utter balderdash."


Holly crap!

Reply Score: 2

RE[6]: Comment by OSbunny
by nonoitall on Thu 22nd Sep 2011 11:12 UTC in reply to "RE[5]: Comment by OSbunny"
nonoitall Member since:
2011-09-22

An "open source project" typically has dozens, sometimes hundreds, of independent developers, in countries all over the world, pouring over the code.

Perhaps for massive projects like the Linux kernel. Not so for the tens of thousands of obscure projects where the majority of development takes place when the sole dev can steal away from his college courses and side job to hammer out a few lines of code over the weekend.

Useful malware would take many hundreds or thousands of lines of source code.

It takes less than a dozen LoC to pop up a link to the author's "You're system may be infected!!!" webpage (with included "Pay me $100 for a program to clean it up" link) in quite a few different programming languages. And not all malware is necessarily useful. It doesn't take too many LoC to delete every file in the user's home directory either.

You come along and make an absolutely outrageous claim that this process can be corrupted by malware, in plain sight of everyone. You make this claim despite the fact that amongst thousands of open source projects across many years, it never has happened.

Never say never. (Unless you've analyzed every open source project in existence yourself?) I certainly wouldn't suggest that it's likely that an open source project would be compromised. In fact, I feel much more comfortable using OSS software over closed source counterparts.

That's still not grounds to make the even more outrageous to claim that "it is not possible to put malware into a product using an open source development process" though. Anything is possible. The aforementioned college student, who is the sole developer of his software (used by 500 people and code reviewed by no one) could decide that he hates the world and include a keylogger in his next update. Is it really that inconceivable?

As far as technical ease goes, it's just as easy to put malware into an open source project as it is to put it into a closed source project. The open source case is just more likely to get caught if someone besides the malicious developer(s) is watching it. Again, I think OSS is awesome. But the phrase "not possible" was used incorrectly here. "Very unlikely without being caught" is better suited.

Back to the Windows 8 logo discussion... :-P

Reply Score: 3

RE[7]: Comment by OSbunny
by Nth_Man on Thu 22nd Sep 2011 18:45 UTC in reply to "RE[6]: Comment by OSbunny"
Nth_Man Member since:
2010-05-16

At first he said "AFAIK the track record is that malware has never been distributed to users via open source repositories", there are people who review what is going to be included in repositories, and probably later.

Reply Score: 2

RE[3]: Comment by OSbunny
by bert64 on Thu 22nd Sep 2011 10:33 UTC in reply to "RE[2]: Comment by OSbunny"
bert64 Member since:
2007-04-23

Such a backdoor would require fairly complex and specialised code, in an open source compiler that would be noticed so you could need to be using a closed source compiler...

The only realistic way to "backdoor" open source code, is to introduce a very subtle exploitable bug...
A blatant backdoor will be found quickly, whereas a bug may slip by...
Similarly, if your backdoor is found then you have deniability if it looks like a software bug, but if its obviously a backdoor you will likely be named and shamed, as well as blocked from any future commits.

You would also need to be a competent developer, and to commit a significant amount of legitimate code to a project in order to build up a level of trust first. It wouldn't be a simple quick attack, it would need to be planned and thought out well in advance.

And also note that all of the above also applies to closed source too, someone sufficiently motivated and funded could get someone hired by a software company to work on the target product. It's also been my experience that code written by an employee comes under far less scrutiny than code from a new contributor to an open source project.

Reply Score: 6

RE[2]: Comment by OSbunny
by phoudoin on Thu 22nd Sep 2011 13:43 UTC in reply to "RE: Comment by OSbunny"
phoudoin Member since:
2006-06-09

Arguably, if something is indeed "Designed for Windows 8", it is reasonable to expect that it can't run anything but Windows 8.


Nope.
You'll be right if the logo says "Designed exclusively for Windows 8".

But it's not. And, though, one can expect it could run *something else*, too.
The exclusive semantic is what's matter here.
And consumer should be able to know it's not a versatile computer but a Windows 8 only computer he's buying. And it should know it *before* doing it.

Otherwise, there's valid legal ground to sue the seller whose hide you it was not a Personal *Computer* but a *Windows 8 device*.

Considering prior tracks of personal computers sales, consumer is legitimate to think that any device sold under this product family "name" is a versatile computer, not a lock-down computing device.

Edited 2011-09-22 13:48 UTC

Reply Score: 6

RE[2]: Comment by OSbunny
by malxau on Thu 22nd Sep 2011 20:08 UTC in reply to "RE: Comment by OSbunny"
malxau Member since:
2005-12-04

"If you want to hide malicious code you can do it in open source as well. There was that news a few months ago about openbsd having malicious code. Don't know whether it was true or not but the possibility remains.


Quote please. AFAIK the track record is that malware has never been distributed to users via open source repositories. The only way it happens is to distribute modified code binary-only executables to Windows users.
"

Do you remember this? I believe the code was distributed over CVS, but never made it into a release.

http://www.theregister.co.uk/2003/11/07/linux_kernel_backdoor_block...

Or when debian ran valgrind on openssl and shipped a broken version for years before it was detected, resulting in piles of compromised keys? The code was there for all to see.

http://blogs.fsfe.org/tonnerre/archives/24

As a paranoid afterthought, note we only know about these when they're detected. We don't know about the ones that are too good - which may be zero or may be large. We have no way to know.

I think as everyone else is saying, it's difficult, but not impossible. The code just needs to look correct even when it's not. That's a high bar, but it can be met. There's even a competition over who can do it well:

http://underhanded.xcott.com/

Reply Score: 3

RE[3]: Comment by OSbunny
by lemur2 on Thu 22nd Sep 2011 23:23 UTC in reply to "RE[2]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

"If you want to hide malicious code you can do it in open source as well. There was that news a few months ago about openbsd having malicious code. Don't know whether it was true or not but the possibility remains. Quote please. AFAIK the track record is that malware has never been distributed to users via open source repositories. The only way it happens is to distribute modified code binary-only executables to Windows users.
Do you remember this? I believe the code was distributed over CVS, but never made it into a release. http://www.theregister.co.uk/2003/11/07/linux_kernel_backdoor_block... "

I had not heard of that one, that is as subtle as it can get. Note that despite this attempt, my original statement is still correct, "the track record is that malware has never been distributed to users via open source repositories".

Or when debian ran valgrind on openssl and shipped a broken version for years before it was detected, resulting in piles of compromised keys? The code was there for all to see. http://blogs.fsfe.org/tonnerre/archives/24


This was a bug, an error, a mistake. It was not malware. Malware is where someone deliberately tries to put malicious code into the system for their benefit at users expense.

I repeat, AFAIK, "the track record is that malware has never been distributed to users via open source repositories".

As a paranoid afterthought, note we only know about these when they're detected. We don't know about the ones that are too good - which may be zero or may be large. We have no way to know. I think as everyone else is saying, it's difficult, but not impossible. The code just needs to look correct even when it's not. That's a high bar, but it can be met. There's even a competition over who can do it well: http://underhanded.xcott.com/


You have come up with just one unsuccessful attempt in over ten years of open source development, through countless versions, of many thousands of open source products.

One unsuccessful attempt. It was defeated by the very checks built in to open source development process, even as long ago as 2003. Now that open source development tools, such as git, have moved on from there, another such an attempt today would have considerably less chance of getting even as far as the one you identified from 2003.

Contrast this to the situation with closed source distribution on Windows, with literally hundreds of millions of Windows computers infected worldwide, and two million new pieces of Windows malware written every year.

It cannot be said definitively that an attempt to put malware into an open source product and get it shipped to users via open source repositories is absolutely impossible, but we can say that as far as anyone can determine (to a very high level of confidence), no such attempts have ever been successful.

One cannot prove a negative, but "the track record is that it has never been done" gets as close as you can, for all practical intents and purposes.

Reply Score: 2

RE[4]: Comment by OSbunny
by malxau on Thu 22nd Sep 2011 23:52 UTC in reply to "RE[3]: Comment by OSbunny"
malxau Member since:
2005-12-04

"Or when debian ran valgrind on openssl and shipped a broken version for years before it was detected, resulting in piles of compromised keys? The code was there for all to see. http://blogs.fsfe.org/tonnerre/archives/24


This was a bug, an error, a mistake. It was not malware. Malware is where someone deliberately tries to put malicious code into the system for their benefit at users expense.

I repeat, AFAIK, "the track record is that malware has never been distributed to users via open source repositories".
"

How do you know if it's a mistake? As the competition link illustrates, a key point here is plausible deniability - when code is caught, it can be plausibly said to be a mistake rather than malicious. But we have no way to know when that's really true; only the person who put it there knows their intention. A backdoor is planted in both cases, and we're left guessing as to why, and who knew about it, and whether it was being actively exploited.

Put another way, if the Debian openssl maintainer was malicious, we can clearly see that no OSS safeguard would protect against large scale compromise of machines. Plausible code can be included and distributed without sufficient review to ensure that it's secure.

Reply Score: 2

RE[5]: Comment by OSbunny
by lemur2 on Fri 23rd Sep 2011 00:01 UTC in reply to "RE[4]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

Put another way, if the Debian openssl maintainer was malicious, we can clearly see that no OSS safeguard would protect against large scale compromise of machines. Plausible code can be included and distributed without sufficient review to ensure that it's secure.


No machines were compromised. The mistake that the Debian maintainer made reduced the security of machines by reducing the randomness of generated keys.

The machines were less secure than they should have been, but not insecure.

No one can guarantee that there is no unintentional bug in code. No one is claiming any such a thing anyway.

You are the one who is making the extraordinary claim that it is possible to put intentional malware into an open source product and then have it distributed to end users using the repository system, yet you have absolutely zero instances when this has ever happened.

Put up or shut up.

Edited 2011-09-23 00:05 UTC

Reply Score: 3

RE[6]: Comment by OSbunny
by Alfman on Fri 23rd Sep 2011 01:18 UTC in reply to "RE[5]: Comment by OSbunny"
Alfman Member since:
2011-01-28

lemur2,

"No one can guarantee that there is no unintentional bug in code. No one is claiming any such a thing anyway."

No one can guarantee that there is no intentional bug in code either. The difference between intentional bugs and unintentional bugs is...intent. Well intentioned programmers succeed in getting exploitable bugs into OSS every now and then, yet you make it sound like it is impossible for maligned programmers to do the exact same thing? Why?

How do we distinguish between deliberate vulnerabilities or accidental ones? Can you supply a test which differentiates between these cases?


"You are the one who is making the extraordinary claim that it is POSSIBLE to put intentional malware into an open source product and then have it distributed to end users using the repository system," (my emphasis)

It's not likely, but it's certainly not impossible.

"yet you have absolutely zero instances when this has ever happened."

There are around 30K packages in Ubuntu, have they closely vetted each one for intentional vulnerabilities? Unless someone was caught red handed, how would we know?

It would not be *technically impossible* for a maintainer in possession of the signing key to deliberately sign malware either and distribute it in a targeted attack such that no one other than the victim would see evidence of the attack. Repositories work because we trust the character of its maintainers.

As an example: If an evil entity wanted to, they could create a new linux distro complete with it's own repository. This is certainly possible. Then, using the exact same technology other distros use, they could then distribute malware via that repository. Do you admit that there is nothing about the repository technology itself which makes malware impossible? Isn't the only difference here the integrity of the maintainers?

These are all legitimate questions, I'd be grateful for legitimate answers.

Edited 2011-09-23 01:22 UTC

Reply Score: 2

RE[7]: Comment by OSbunny
by lemur2 on Fri 23rd Sep 2011 01:35 UTC in reply to "RE[6]: Comment by OSbunny"
lemur2 Member since:
2007-02-17

As an example: If an evil entity wanted to, they could create a new linux distro complete with it's own repository. This is certainly possible. Then, using the exact same technology other distros use, they could then distribute malware via that repository. Do you admit that there is nothing about the repository technology itself to make malware impossible? Isn't the only difference here the integrity of the maintainers?

These are all legitimate questions, I'd be grateful for legitimate answers.


This is getting way off topic, but the legitimate answer is to look at what actually happens.

Hundreds of millions of Windows PCs are compromised by trojan malware deliberately introduced into Windows executables and then distributed to unsuspecting users via channels that said users normally use.

In contrast, open source developers typically form groups to collaborate on products for their mutual benefit, with no other common ties other than their own self-interest in the integrity of the product, putting in thousands of hours work which necessarily involves pouring all over the code submitted by colleagues. The ONLY imaginable opportunity to inject malware in semi-secret would be after the source code is taken from the development server, compiled, tested and signed by a repository maintainer, and placed into the repository for distribution. The repository, however, requires both binary code and source code to be made available, so the repository maintainer could only get away with injecting intentional malware by having the binary not match the source code. However, downstream recipients of the code can compile it themselves, and check it against the binary, so such a ruse (if it was ever attempted) would easily be discovered.

So in effect we are talking about a scenario roughly equivalent to a bank robber attempting to rob a bank by submitting a withdrawal slip with his/her real, verifiable signature on it.

So no, we don't have to trust only the integrity of repository maintainers. We can absolutely rely simply on repository maintainers following their own best self-interest, a not incriminating themselves to all the world.

Have a think to yourself just how silly your suggestions really are in the real world, and then perhaps you might come to a realisation as to why they have never eventuated.

You are the one who is making the extraordinary claim that it is possible to put intentional malware into an open source product and then have it distributed to end users using the repository system, yet you have absolutely zero instances when this has ever happened.

Put up or shut up.

Edited 2011-09-23 01:49 UTC

Reply Score: 2

RE: Comment by OSbunny
by Soulbender on Thu 22nd Sep 2011 04:29 UTC in reply to "Comment by OSbunny"
Soulbender Member since:
2005-08-18

If you want to hide malicious code you can do it in open source as well.


It's a lot harder though.

There was that news a few months ago about openbsd having malicious code.


Except that was completely bogus. The code's been audited and no such backdoor was found. Just because you can make a rumour about something doesn't mean it's probable.

Reply Score: 8

How about LiveCDs or USB Drives?
by BlueofRainbow on Thu 22nd Sep 2011 01:15 UTC
BlueofRainbow
Member since:
2009-01-06

Reading through the background (linked) articles, I'm not sure if I fully understand the various keys and what they do.

However, it seems that the firmware would not load a non-signed OS at boot time. If this is correct, then would this block experimenting with other OSes via LiveCDs or USB Drives? Would this also block the Hakintosh initiative?

I can appreciate the need for greater security. However, not at the expense of my freedom of choosing the OS I wish to boot.

Reply Score: 1

lemur2 Member since:
2007-02-17

Reading through the background (linked) articles, I'm not sure if I fully understand the various keys and what they do. However, it seems that the firmware would not load a non-signed OS at boot time. If this is correct, then would this block experimenting with other OSes via LiveCDs or USB Drives? Would this also block the Hakintosh initiative? I can appreciate the need for greater security. However, not at the expense of my freedom of choosing the OS I wish to boot.


As I understand it, you won't be able to boot any OS which isn't signed with a key compatible to what is stored in the UEFI firmware.

Which media is booted from is not important ... Linux LiveCDs or LiveUSBs would not boot (unless signed). Somehow I can't see compatible signing keys being given to Linux projects such as Ubuntu or OpenSuSe.

Reply Score: 3

Neolander Member since:
2010-03-08

Any device which you can boot from is affected. The only way to boot an unsigned OS is to disable "secure boot"... when possible.

Edited 2011-09-22 07:32 UTC

Reply Score: 1

Possibly very good
by TheChucklesStart on Thu 22nd Sep 2011 01:58 UTC
TheChucklesStart
Member since:
2009-04-17

If this stays as an option in the bios that we can turn off, or if the linux community get their own software signed in a practical manor, then there is a very, very good side to this.

This good side is SECURITY. If the operating system cannot be modified, then you can't get a root kit, which means that the operating system can, in theory, still stop malware. In the days of large corporations seemingly being hacked into every few weeks... this type of security is bound to become common place for both windows and linux machines, even well controlled servers.

I imagine it will take a while for the kinks to be worked out (they are still working on that with phones), but in the end, I imagine IT support will NEED to have the option to turn off any secure boot options to fix computers efficiently.

Reply Score: 1

RE: Possibly very good
by lemur2 on Thu 22nd Sep 2011 02:07 UTC in reply to "Possibly very good"
lemur2 Member since:
2007-02-17

If this stays as an option in the bios that we can turn off, or if the linux community get their own software signed in a practical manor, then there is a very, very good side to this.


It is not a problem of the linux community, it is a problem that whoever makes the UEFI hardware won't give out signing keys to anybody and everybody. They will put only a certain number of keys in the UEFI ROMs, and the only OSes which will boot will be those signed with a matching key.

If they then give signing keys out to everybody who wanted to compile a new kernel, then root-kit authors could sign their root kits, and we are back to square one. They may as well not have the whole secure boot thing in the first place. It only makes sense if the signing keys are kept as secrets.

Edited 2011-09-22 02:09 UTC

Reply Score: 4

RE[2]: Possibly very good
by TheChucklesStart on Thu 22nd Sep 2011 03:35 UTC in reply to "RE: Possibly very good"
TheChucklesStart Member since:
2009-04-17

Or the UEFI industry could move to using a Certificate Authority like most current code signing systems do.

They could also allow you to load certificates from a USB drive for self signed code, making it harder for a malware author to put their certificate in the UEFI but making it fairly painless for a user to handle.

Reply Score: 1

RE[3]: Possibly very good
by lemur2 on Thu 22nd Sep 2011 03:51 UTC in reply to "RE[2]: Possibly very good"
lemur2 Member since:
2007-02-17

Or the UEFI industry could move to using a Certificate Authority like most current code signing systems do. They could also allow you to load certificates from a USB drive for self signed code, making it harder for a malware author to put their certificate in the UEFI but making it fairly painless for a user to handle.


I'm not sure if this would work, or not. How would it still be impossible for a blackhat author to self-sign their malware rootkit?

If it can work, and it could be possible to make it fairly painless for a user to boot self-signed code, and the industry doesn't do it ... then the concerns expressed by the author of the original article would be shown to have been completely valid, would they not?

Reply Score: 2

RE[3]: Possibly very good
by Lennie on Thu 22nd Sep 2011 09:16 UTC in reply to "RE[2]: Possibly very good"
Lennie Member since:
2007-09-22

The CAs is actually what they are using.

The question is obviously, what happends when a CA makes a mess of it.

Reply Score: 2

RE[2]: Possibly very good
by mabhatter on Fri 23rd Sep 2011 01:52 UTC in reply to "RE: Possibly very good"
mabhatter Member since:
2005-07-17

they could always add an option to generate your OWN key or passphrase for signing Open Source software right in the bios. It wouldn't really effect Microsoft because it could be a different format or something and you'd have to generate it so it wouldn't be one of their keys. Then they could have an open source program to sign the stuff to run on it.

I'd be trivial to implement, that is what the Open Source people should be going for.

Reply Score: 2

RE: Possibly very good
by Neolander on Thu 22nd Sep 2011 07:24 UTC in reply to "Possibly very good"
Neolander Member since:
2010-03-08

Except the OS can be modified, at least in its current form. If you can install an antivirus which checks and alters every file you open, you can install a rootkit.

Reply Score: 2

RE: Possibly very good
by Lennie on Thu 22nd Sep 2011 09:15 UTC in reply to "Possibly very good"
Lennie Member since:
2007-09-22

Yes, everyone is convinced about the advantages.

It has actually been possible for years already on many CPUs.

TPM is just a requirement now.

But the downsides could also be great if people are not allowed to control their own computers anymore.

If I'm able to load my own key in the BIOS... euh.. UEFI firmware then that is fine.

But who will garantee that the same thing is true in 5 or 10 years ?

Reply Score: 3

RE: Possibly very good
by judgen on Thu 22nd Sep 2011 18:19 UTC in reply to "Possibly very good"
judgen Member since:
2006-07-12

Of course the OS can be modified. How else would you be able to do a windows update or install a servicepack that fixes kernel problems and exploits? It is just a matter of time before that security layer is broken and windows clients is as infected as they ever were before. The only side to this that makes sense for me is the argument of locking other OS'es out and securing the microsoft monopoly for a while longer.

Once it is backwards engineered (as that is legal in all countries) though it is fair game for all, and considering the number of hackers on x86 compared to code-monkeys that hacks on consoles, i would bet a legal backwards engineering effort would be set up fast and succeed in a rather short time.

In other words, i do not worry too much.

Reply Score: 2

Comment by Drumhellar
by Drumhellar on Thu 22nd Sep 2011 02:54 UTC
Drumhellar
Member since:
2005-07-12

I'm confident hat most OEMs will provide an option in the BIOS to disable this, at least for desktops or laptops. I think competitive pressures will force them. Probably, some OEM's will initially, and some won't, requiring users to be check whether it's supported before purchase, but eventually all OEMs will add it.

I'm not so confident for tablets, though.

Reply Score: 4

RE: Comment by Drumhellar
by AnythingButVista on Thu 22nd Sep 2011 14:56 UTC in reply to "Comment by Drumhellar"
AnythingButVista Member since:
2008-08-27

I'm confident hat most OEMs will provide an option in the BIOS to disable this, at least for desktops or laptops.

And I'm confident OEMs will make you give up your warranty rights if you disable secure boot. This could be like HTC unlocking bootloaders on their devices but voiding your warranty if you choose to do so.

Reply Score: 2

RE[2]: Comment by Drumhellar
by lucas_maximus on Thu 22nd Sep 2011 19:13 UTC in reply to "RE: Comment by Drumhellar"
lucas_maximus Member since:
2009-08-18

And I'm confident OEMs will make you give up your warranty rights if you disable secure boot. This could be like HTC unlocking bootloaders on their devices but voiding your warranty if you choose to do so.



Except HTC are quite happy you rooting the device these days ...

Reply Score: 2

Comment from a dumb user
by sb56637 on Thu 22nd Sep 2011 05:08 UTC
sb56637
Member since:
2006-05-11

To my uneducated mind, this sounds like the issue that people are having with some Motorola Android devices. They have locked bootloaders that don't permit any firmware not signed by Motorola to be installed. Is this approximately what Microsoft is looking to do now?

Looks like this "walled garden" concept has nothing to OS security, but rather with vendor security.

Reply Score: 5

RE: Comment from a dumb user
by Alfman on Thu 22nd Sep 2011 06:05 UTC in reply to "Comment from a dumb user"
Alfman Member since:
2011-01-28

"They have locked bootloaders that don't permit any firmware not signed by Motorola to be installed. Is this approximately what Microsoft is looking to do now?"

Microsoft already does this with win vista/7 kernels. The owner is not free to install independent drivers without buying a one or two year signing key. It seems to be a deliberate attack against OSS in the windows kernel. Just after I was beginning to learn how to write kernel drivers, microsoft banned us from installing our own drivers on our own computers. They've hard-coded private keys.

"Looks like this 'walled garden' concept has nothing to OS security, but rather with vendor security."

Technically, it has alot more to do with bootloader security than OS security, windows will have the same flaws as before.

It prevents unauthorized bootloaders from running. However in the context of a real attack, the installation of a malicious bootloader that secure boot would help protect against suggests that the system has already been compromised elsewhere. So secure boot would be of limited security value here.

They actually tried something similar before with TCM/Palladium, which may provide insight into what they are trying to accomplish... DRM.

As much as MS might want to block out linux, I cannot imagine any scenario where microsoft would not face serious legal repercussions if they tried. So, if I may speculate, this is about extending the kernel driver enforcement all the way back to the bootloader so that kernel jailbreaking software like this cannot work:

http://www.softpedia.com/get/Tweak/Video-Tweak/Driver-Signature-Enf...

Reply Score: 3

RE[2]: Comment from a dumb user
by UglyKidBill on Thu 22nd Sep 2011 07:55 UTC in reply to "RE: Comment from a dumb user"
UglyKidBill Member since:
2005-07-27

>>>"They have locked bootloaders that don't permit any firmware not signed by Motorola to be installed. Is this approximately what Microsoft is looking to do now?"

Microsoft already does this with win vista/7 kernels. The owner is not free to install independent drivers without buying a one or two year signing key. It seems to be a deliberate attack against OSS in the windows kernel. Just after I was beginning to learn how to write kernel drivers, microsoft banned us from installing our own drivers on our own computers. They've hard-coded private keys.

"Looks like this 'walled garden' concept has nothing to OS security, but rather with vendor security."

Technically, it has alot more to do with bootloader security than OS security, windows will have the same flaws as before.

It prevents unauthorized bootloaders from running. [...]
So, if I may speculate, this is about extending the kernel driver enforcement all the way back to the bootloader so that kernel jailbreaking software like this cannot work:

http://www.softpedia.com/get/Tweak/Video-Tweak/Driver-Signature-Enf...


Maybe it will break those loaders used to bypass windows activation schemes? That alone would be of great benefit for microsoft, specially in the bottom server side of the market...

Reply Score: 1

RE[2]: Comment from a dumb user
by Soulbender on Thu 22nd Sep 2011 17:00 UTC in reply to "RE: Comment from a dumb user"
Soulbender Member since:
2005-08-18

The owner is not free to install independent drivers without buying a one or two year signing key


Wait...WHAT? Are you saying that I, the owner of the OS copy and the owner of the physical hardware, can not install whatever drivers I want? On my own hardware? For real? What in the holy hell? Oceania and The Party has nothing on Microsoft....

Reply Score: 2

RE[3]: Comment from a dumb user
by Alfman on Thu 22nd Sep 2011 20:06 UTC in reply to "RE[2]: Comment from a dumb user"
Alfman Member since:
2011-01-28

Soulbender,

"Wait...WHAT? Are you saying that I, the owner of the OS copy and the owner of the physical hardware, can not install whatever drivers I want? On my own hardware? For real? What in the holy hell? Oceania and The Party has nothing on Microsoft...."

Yep.

http://www.ditii.com/2007/02/10/disabling-mandatory-kernel-mode-and...

I provided this next link earlier, which automatically switches the vista/7 kernels to a test mode that does not enforce software signatures. However this mode forcefully disables all access to DRM restricted APIs/hardware.

http://www.softpedia.com/get/Tweak/Video-Tweak/Driver-Signature-Enf...

There have been other ways to jailbreak the windows vista/7 kernels over the years, some involving privilege escalation, leaked keys, bootloader modifications. None of these were long term solutions, because microsoft continually disabled them (and our drivers cease to load).

Some open source supporters even purchased their own driver signing keys and created a tool that allows OSS users to load drivers as they please, their key was promptly blacklisted by microsoft, despite the fact that the tool was not malware and worked exactly as advertised.

http://www.zdnet.com/blog/security/vista-kernel-tampering-tool-rele...

Reply Score: 3

RE[4]: Comment from a dumb user
by Soulbender on Thu 22nd Sep 2011 20:28 UTC in reply to "RE[3]: Comment from a dumb user"
Soulbender Member since:
2005-08-18

That's insane. I knew there was a good reason I don't use Windows 7. Well, that and the fact that Windows 7 provides nothing whatsoever that I need.

It should be obvious that giving MS the benefit of doubt regarding this secure boot thing is not a good idea. At all.

Reply Score: 2

RE[5]: Comment from a dumb user
by Alfman on Thu 22nd Sep 2011 21:03 UTC in reply to "RE[4]: Comment from a dumb user"
Alfman Member since:
2011-01-28

Soulbender,

Most users aren't affected, but for those who are..it's devastating. A whole lot of alternative file systems were effectively banned in vista, which was my interest in writing windows drivers prior the lockdown.

OpenAFS, a fairly popular distributed network FS, had one clever yet insane workaround for windows clients. They enable the user to map drives by implementing a virtual SMB server running on the local host which acts as a translating proxy between the windows SMB stack and remote AFS nodes. Now of course such a thing can be made to work, but it's restrictions like this that make windows intolerable. It's my computer, let me do as I damn well please.

Edited 2011-09-22 21:10 UTC

Reply Score: 3

RE: Comment from a dumb user
by WorknMan on Thu 22nd Sep 2011 06:54 UTC in reply to "Comment from a dumb user"
WorknMan Member since:
2005-11-13

To my uneducated mind, this sounds like the issue that people are having with some Motorola Android devices. They have locked bootloaders that don't permit any firmware not signed by Motorola to be installed.


Well, not just Motorola Android devices, but several different kinds of Android devices. And do you know what? Pretty much every one of them get rooted anyway.

From my point of view, it's a good safety measure on PCs, since 99% of people would never try to boot another OS anyway. Just give people an option to unlock if they want, and make it so that you need physical access to the PC, and make it just hard enough to find so nobody could/would do it on accident.

Reply Score: 2

RE[2]: Comment from a dumb user
by Alfman on Thu 22nd Sep 2011 07:23 UTC in reply to "RE: Comment from a dumb user"
Alfman Member since:
2011-01-28

WorknMan,


"From my point of view, it's a good safety measure on PCs, since 99% of people would never try to boot another OS anyway."

Can you explain why you think it's a good safety measure? Unless I've missed something, there would only be two ways to boot a malicious bootloader/OS:

1. The system is already compromised and rooted such that the attacker was able to overwrite the bootloader/OS. In this case, chances are very high that the attacker can do whatever he pleases already with or without secure boot.

2. The user boots from external bootable media like a cd/thumbdrive.

If secure boot is going to prevent 99% of bootable media from booting anyways (seeing as most of us won't be able to get them signed), then I question the need for disabling external booting via secure boot instead of simply disabling external booting outright by default?


"Just give people an option to unlock if they want, and make it so that you need physical access to the PC, and make it just hard enough to find so nobody could/would do it on accident."

I agree that the ability to disable secure boot would be one option. Better yet would be to allow owners to control the keys on their own systems such that they could actually use secureboot with alternative operating systems. There is no reason for this feature to be hard coded for use by microsoft/manufacturers (other than to shift control to them).

Edited 2011-09-22 07:31 UTC

Reply Score: 2

RE[2]: Comment from a dumb user
by bert64 on Thu 22nd Sep 2011 10:45 UTC in reply to "RE: Comment from a dumb user"
bert64 Member since:
2007-04-23

This should not be something that is configured by the manufacturer or software vendor...
It should be up to the purchaser of the hardware, be it an end user or a corporation, to load their trusted keys into the firmware.

If the keys are provided by someone else then it does little to help corporate security, as an attacker could just boot their own copy of a signed OS.

Similarly, using CAs is not a good idea, look at the recent hacks against various CAs...

Corporations should maintain their own internal CA, and keep the private key secure, that way their workstations would only be able to load software signed by the corporate key. Remember any given corporation will decide what software it wants to run, and won't be happy having that dictated by a third party who holds the signing keys.

Changing the key should require the setting of a hardware jumper, and the execution of an EFI based key management tool signed by one of the currently trusted keys.

Yes this would provide a method to brick hardware if you lose the keys or load an invalid one, and since the devices are under user control there would always be a way round it even if that required hardware mods.

Reply Score: 4

Comment by Luminair
by Luminair on Thu 22nd Sep 2011 05:17 UTC
Luminair
Member since:
2007-03-30

This is what you do to your appliance when you don't want people hacking it.

This is NOT what you do for your traditional, flexible, personal computer. This sounds like a bridge too far for Microsoft to go. I do expect such stuff from Apple.

Reply Score: 3

Comment by cm49
by cm49 on Thu 22nd Sep 2011 05:53 UTC
cm49
Member since:
2007-03-23

The keys will be leaked, eventually. In which case, from a security perspective, the gains will be zero. And this will be just another obstacle for end-users.

Reply Score: 2

.
by Icaria on Thu 22nd Sep 2011 06:42 UTC
Icaria
Member since:
2010-06-19

Could someone in the know explain the 'Windows Logo Programme'? It's in my limited understanding that signed bootloaders is a prerequisite for showing the 'Windows compatible' logo, not a prerequisite for getting an OEM licence to put Windows on your products.

Someone please correct me if I'm wrong.

Also, I hate this attitude of 'it'll be hacked anyway'. It took years for the current crop of consoles to be reliably compromised (not counting Wii) , there's plenty of phones that still haven't been cracked, even after years on the market and there's plenty of DRM'd media that hasn't been cracked. It's not a sure thing, not even close and the extra barriers to entry this presents, even if cracked, could prove enough to just about kill enthusiast computing.

Reply Score: 6

RE: .
by Alfman on Thu 22nd Sep 2011 07:06 UTC in reply to "."
Alfman Member since:
2011-01-28

Icaria,

"Also, I hate this attitude of 'it'll be hacked anyway'."

Forcing manufacturers to include anti-features is wrong whether or not it's hackable.

"even if cracked, could prove enough to just about kill enthusiast computing."

And this is really where I have a problem with it. Instead of making computers more open and accessible for everyone, this secure boot severely discourages independent development and innovation.

* I'm running with the assumption that Matthew Garret is correct that owners will not be in possession of their own keys.

Reply Score: 3

Option to Disable
by lucas_maximus on Thu 22nd Sep 2011 07:11 UTC
lucas_maximus
Member since:
2009-08-18

There will be an option to disable this feature otherwise the EU will be all over Microsoft like a plague.

Reply Score: 2

RE: Option to Disable
by qbast on Thu 22nd Sep 2011 07:46 UTC in reply to "Option to Disable"
qbast Member since:
2010-02-08

Why after Microsoft? It will be OEMs who implement this feature. If they are too lazy to allow disabling or they void warranty if user does then it is hardly MS fault.

Reply Score: 1

RE[2]: Option to Disable
by UglyKidBill on Thu 22nd Sep 2011 08:04 UTC in reply to "RE: Option to Disable"
UglyKidBill Member since:
2005-07-27

Why after Microsoft? It will be OEMs who implement this feature. If they are too lazy to allow disabling or they void warranty if user does then it is hardly MS fault.

If MS says there can´t be an option to disable this then it would leave OEMs without much choice.
Remember, MS did this when it forbid OEMs to bundle 3rd party web browsers; it was a condition to retain OEM status.

Reply Score: 2

RE[3]: Option to Disable
by lucas_maximus on Thu 22nd Sep 2011 09:55 UTC in reply to "RE[2]: Option to Disable"
lucas_maximus Member since:
2009-08-18

And they had an anti-trust ruling against it.

Reply Score: 2

RE[4]: Option to Disable
by bert64 on Thu 22nd Sep 2011 11:31 UTC in reply to "RE[3]: Option to Disable"
bert64 Member since:
2007-04-23

A ruling which took years, during which time they continued doing damage... By the time the ruling came about there were further delays while they negotiated the punishment (which is stupid btw, punishment should simply be assigned and they have to accept it, no negotiation).

Reply Score: 3

RE[5]: Option to Disable
by lucas_maximus on Thu 22nd Sep 2011 12:53 UTC in reply to "RE[4]: Option to Disable"
lucas_maximus Member since:
2009-08-18

Punishment negotiation is normal even for Criminal Law,

http://www.hse.gov.uk/enforce/enforcementguide/court/sentencing-hea...

Luckily I don't live in draconian countries where things are decided willy nilly.

And they were still punished ...

If you guys don't like it I suggest that you actually contact your representatives, rather than inform me (who can't do anything about) that you don't think it was insufficient.

Also IE didn't actually need to bundle IE4 to destroy netscape ... http://news.cnet.com/2100-1001-203884.html
1 million downloads of IE4 in 4 days (3rd October 1997 is a Friday, the article says the release was on the previous Tuesday).

The EU also made them produce a version of Windows XP that didn't bundle Media player (that nobody purchased) and the browser screen ballot screen, that Opera cried and screamed about to get the IE symbol removed and hardly anyone outside of Germany use Opera.

Anyway,

Secure boot is going to have to be optional because there are still lots of PCs capable of running Windows 8 that are still using BIOS. So I am pretty sure dual booting will still be an option in the future.

Also why would people buy a Windows 8 Certified machine to run Linux/OpenBSD/Android etc. on it? Sounds a bit silly to me.

Also what is there to stop someone booting linux using the Windows Bootloader (which I have done since Win2k)?

Edited 2011-09-22 13:09 UTC

Reply Score: 2

RE[6]: Option to Disable
by judgen on Thu 22nd Sep 2011 18:30 UTC in reply to "RE[5]: Option to Disable"
judgen Member since:
2006-07-12

"The EU also made them produce a version of Windows XP that didn't bundle Media player (that nobody purchased) and the browser screen ballot screen, that Opera cried and screamed about to get the IE symbol removed and hardly anyone outside of Germany use Opera."

Two misstakes there 1. The version of windows you are refering to was actually A LOT more expensive than the "real" deal over here atleast and also not available for purchase almost anywhere.
2. Opera is widely used in the eastern bloc (former warsaw pact countries) for example check browser statistics for Opera in Ukraine where it is installed by default on most government computers and is very popular in gernel usage due to the "low bandwidth" mode that Opera has available.

Reply Score: 4

RE[7]: Option to Disable
by lucas_maximus on Thu 22nd Sep 2011 19:03 UTC in reply to "RE[6]: Option to Disable"
lucas_maximus Member since:
2009-08-18

Two misstakes there 1. The version of windows you are refering to was actually A LOT more expensive than the "real" deal over here atleast and also not available for purchase almost anywhere.


I remember it being exactly the same price for XP ... however I could be wrong (not the first time).

I did however looked at the Windows 7 N version ... and the prices are more or less the same according to results on google shopping.

So at least now it seems they are the in the same price range.

Personally though nobody has done anything about iTunes and iPods/iPhones ... but the EU felt it needed to do something about Windows Media player?

2. Opera is widely used in the eastern bloc (former warsaw pact countries) for example check browser statistics for Opera in Ukraine where it is installed by default on most government computers and is very popular in gernel usage due to the "low bandwidth" mode that Opera has available.


I appreciate that ... but globally that isn't the case.

I know it is popular in the Ukraine ... my Girl's home country.

My main point is that Globally it didn't really help any browser to gain anything IMO .. TBH it just confused normal users (such as my stepmother and father) who were perfectly happy using IE (I had a phone call while at work and had to google what the hell it was about).

I work with devs most of the day ... and the most used browser (outside of my team) is IE. We have Oracle, SAP devs, Network and Server teams ... and only the web team use browsers that aren't IE.

Even the Electronic Media department are quite happy using IE even though anyone in our company can install any browser they wish (admin permissions are quite lax ... won't be after Win7 rollout). Most of them have Firefox and Chrome installed but just use IE ...

The thing that gets me is the constant Microsoft Bashing by people who don't really have a clue IMO.

Edited 2011-09-22 19:09 UTC

Reply Score: 2

RE[6]: Option to Disable
by Thomas2005 on Fri 23rd Sep 2011 14:56 UTC in reply to "RE[5]: Option to Disable"
Thomas2005 Member since:
2005-11-07

Also why would people buy a Windows 8 Certified machine to run Linux/OpenBSD/Android etc. on it? Sounds a bit silly to me.

Also what is there to stop someone booting linux using the Windows Bootloader (which I have done since Win2k)?

People will not buy a "Windows 8 Certified" machine to run Linux/*BSD/Android/etc on, but people will buy a computer that meets their wants/needs that is in their price range that happens to be "Windows 8 Certified". Just as not everyone likes to tinker with open-source OS/apps, not everyone that tinkers with open-source OS/apps likes to tinker with hardware.

As far as using the Windows boot-loader, it could get replaced with one that checks for "properly" signed code.

Reply Score: 2

RE[2]: Option to Disable
by lemur2 on Thu 22nd Sep 2011 09:58 UTC in reply to "RE: Option to Disable"
lemur2 Member since:
2007-02-17

Why after Microsoft? It will be OEMs who implement this feature. If they are too lazy to allow disabling or they void warranty if user does then it is hardly MS fault.


Microsoft are saying that OEMs will only be allowed to display a "Made for Windows 8" sticker if UEFI Secure boot is enabled.

http://www.readwriteweb.com/enterprise/2011/09/windows-8-spells-tro...

"Microsoft is trying to lock down system firmware to prevent malware and pirated copies of Windows. Unfortunately, this may have some undesirable side effects for Linux users and anyone else that wants to boot an operating system not officially blessed by Microsoft and OEMs. This poses a problem for hobbyists and large organizations alike.

This was discovered by Linux developer Matthew Garrett, who's been doing a lot of work with EFI booting in general for his day job. Recent UEFI specifications have allowed for "secure boot" that requires an OS to have a signed key in system firmware to work.

Microsoft is requiring that OEMs ship client systems with the secure boot enabled to get the Windows 8 logo. Of course, all major OEMs are going to want the Windows 8 logo. "

Edited 2011-09-22 10:02 UTC

Reply Score: 4

Hmm
by Ultimatebadass on Thu 22nd Sep 2011 07:39 UTC
Ultimatebadass
Member since:
2006-01-08

So they finally came up with something to counter bypassing of windows activation with the "SLIC in bootloader" trick...

Sadly (for us), it seems they are going after a fly with an ICBM.

Reply Score: 2

EasyBCD, Chain-Loading
by dosende on Thu 22nd Sep 2011 12:55 UTC
dosende
Member since:
2011-05-27

Is it maybe possible to chain-load other operating systems via's Microsoft's own UEFI boot loader? When multiple versions of Windows are installed on the same machine, they share one UEFI boot entry, then their own boot loader allows you to choose between versions of Windows, just as one install of GRUB can be configured to boot many operating systems.

For MBR/BIOS systems, Microsoft's loader has been configured to load a number of operating systems other than Windows (look to EasyBCD). But I think that just chain-loads other boot loaders like GRUB. If Microsoft's loader still uses UEFI's boot services, then chain-loading will be just as difficult/impossible as loading directly.

If we put aside user lock-in and think about it as a security issue, then the possibility of booting alternative operating systems with Microsoft's own boot loader seems unlikely (it'd be easier to attack a user by reconfiguring their loader from within Windows).

If this is implemented as expected, the only way I see installing Linux is if we somehow make Linux mimic Windows because Microsoft's boot loader will be the only one available.

I don't know. I have a similar feelings as the article's author. I'm worried but not panicked. These things tend to work out. Worst-case scenario, retail PCs with Windows pre-installed will be locked-in to Windows. The enthusiast community will still be able to be their own machines.

For my open-source/fun computing needs, I'm thinking about switching to something like Trim-Slice or a PandaBoard. As ARM continues its journey towards competing with x86, more stuff like this will become available and viable desktop replacements. But, yes, the days of renewing the life of old Windows machines with a free operating system might be numbered.

Reply Score: 2

windows 8 and lockout from hardware
by lordos2 on Thu 22nd Sep 2011 13:37 UTC
lordos2
Member since:
2011-09-22

I have tried to install win 8 developer edition and it
will not install on any of my many machines they all run
some version of linux or bsd and win2k or winxp.

Reply Score: 1

Time to be heard
by sparkyERTW on Thu 22nd Sep 2011 15:06 UTC
sparkyERTW
Member since:
2010-06-09

It's good that this topic is being debated and discussed in articles, forums, comment sections, etc., but I think we also need to consider that a more direct approach might be the key: write to the manufacturers and let them know this isn't cool. E-mail your favourite laptop vendor(s) and let them know you will not be a happy camper if they limit your freedom of choice.

Maybe it'll work, maybe it won't, but at least you can say you tried.

Reply Score: 1

Bootcamp
by dulus on Thu 22nd Sep 2011 15:15 UTC
dulus
Member since:
2006-07-14

It can go also Apple way - Windows 8 will have some bootcamp equivalent for allowing boot another OS. It will be marketed as huge user friendly feature :-D

Reply Score: 2

RE: Bootcamp
by lucas_maximus on Thu 22nd Sep 2011 19:24 UTC in reply to "Bootcamp"
lucas_maximus Member since:
2009-08-18

And you have always been able to boot another OS using Windows ... called Boot.ini in the WinNT/2k/XP days and not BootMgr ;) .

It hasn't always been so easy on Macs ... I remember it being a mare on my iBook.

Reply Score: 2

Comment by andih
by andih on Thu 22nd Sep 2011 18:18 UTC
andih
Member since:
2010-03-27

We gotta fight for our freedom, cause if not we will lose it seems.. Gov. and the big companies would definitely want us with no other choice than their products and their ways of doing things..

Stallman is not as crazy as it seems I believe..

Thank you Thom for writing about these things.

I go for danger + freedom instead of safe slavery any day.

Reply Score: 2

RE: Comment by andih
by lucas_maximus on Thu 22nd Sep 2011 19:22 UTC in reply to "Comment by andih"
lucas_maximus Member since:
2009-08-18

OH FFS,

It is only on Machines that are Windows 8 Certified ... why would one buy a computer if one intends to run Linux/OpenBSD/Haiku etc .. if it is certified only for Windows?

I have a computer that has a WEI of 6.7 ... that has a BIOS ... do you really think I can't boot Windows 8 on the same machine, Or Microsoft won't sell me a version of Windows 8 I can use?

The article on OSNEWS by Thom is reactionary to get you guys to panic ... you do it so predictably it is almost sad.

Reply Score: 1

RE[2]: Comment by andih
by nonoitall on Thu 22nd Sep 2011 20:50 UTC in reply to "RE: Comment by andih"
nonoitall Member since:
2011-09-22

OH FFS,

It is only on Machines that are Windows 8 Certified ... why would one buy a computer if one intends to run Linux/OpenBSD/Haiku etc .. if it is certified only for Windows?

Find an economical laptop that does not have the Windows logo?

Reply Score: 3

RE[3]: Comment by andih
by lucas_maximus on Fri 23rd Sep 2011 07:16 UTC in reply to "RE[2]: Comment by andih"
lucas_maximus Member since:
2009-08-18

If you are buying non-standard it is always going to be more expensive ... just how markets work.

I have a Bicycle with a mix of 1970s French Tech ... pretty much most components are French Standard which no longer exists (everybody used the British ISO in the end) .. getting parts were expensive because I have to buy short run production replicas (luckily not often) ... they are 2 or 3 times price of the same British ISO kit.

Reply Score: 2

RE[4]: Comment by andih
by dsmogor on Fri 23rd Sep 2011 10:39 UTC in reply to "RE[3]: Comment by andih"
dsmogor Member since:
2005-09-01

That's the point. Standards are indended to open up opportunities not the other way around.
As with Win8 certified computers for linux think about:

1. your gf sick with windows on her Laptop wanting some alternative
2. old computers getting linux treatment to extend their life
3. old computers used as thin terminals
4. specialized distros (router, music) booted from a CD.
5. a company offering android for dissadisfied user of win8 tablets (that's esp. problematic as changing anything in bios would be a no-go for end-users)

I could go on and on.

Reply Score: 3

RE[2]: Comment by andih
by J. M. on Thu 22nd Sep 2011 23:40 UTC in reply to "RE: Comment by andih"
J. M. Member since:
2005-07-24

why would one buy a computer if one intends to run Linux/OpenBSD/Haiku etc .. if it is certified only for Windows?

First, there are places and market segments where people cannot buy hardware that's not Windows certified. Second, hardly anyone knows for sure what OS they will intend to run on their computer during its lifetime. The vast majority of Linux users tried and installed Linux on their Windows PC first (for many reasons, like when the hardware gets too old for new Windows, when they have problems with the Windows OS and some experienced user installs Linux for them, or simply because they want to try another OS). Even if people buy a Windows PC, they may want to change the OS later. It happens too often, so now with this move, Microsoft makes sure people will dismiss that dangerous (dangerous to Microsoft) thought, especially when Windows 8 with its dual interface is so controversial yet critical to their success in the future, with the emerging competition, so they need to make sure people will get stuck with them whether they like their new OS or not.

Reply Score: 4

RE[3]: Comment by andih
by lucas_maximus on Fri 23rd Sep 2011 07:13 UTC in reply to "RE[2]: Comment by andih"
lucas_maximus Member since:
2009-08-18

Learn 2 Paragraph

Edited 2011-09-23 07:16 UTC

Reply Score: 1

RE[4]: Comment by andih
by J. M. on Fri 23rd Sep 2011 17:43 UTC in reply to "RE[3]: Comment by andih"
J. M. Member since:
2005-07-24

I know "how 2 paragraph" (i.e. when it actually makes sense). Judging from your posts here, it's you who has a serious problem understanding what a paragraph is (no, a paragraph does not equal sentence).

Reply Score: 2

Comment by shmerl
by shmerl on Thu 22nd Sep 2011 18:29 UTC
shmerl
Member since:
2010-06-08

It's enough that Microsoft imposes Windows tax on users ( http://en.wikipedia.org/wiki/Windows_refund ) while claiming that one can get refunds. Now they want to brazenly impose even more.

Nice video on the subject of "trusted computing" in general:

http://www.youtube.com/watch?v=UnXU7z2_6Jg

Edited 2011-09-22 18:33 UTC

Reply Score: 3

RE: Comment by shmerl
by lucas_maximus on Thu 22nd Sep 2011 19:17 UTC in reply to "Comment by shmerl"
lucas_maximus Member since:
2009-08-18

Oh not this Window Tax bullshit.

Basically a lot of Laptops and Desktops would not be as cheap if they didn't have a Windows License and all the crap ware ... If you don't want the crap ware ...

Either uninstall it ... which isn't hard.

Or for the cleanest install, download an ISO of the same version of Windows via (Bit torrent) that is installed and do a clean install with your legit key.

If you want to install whatever just do so ... you aren't losing anything.

I am pretty sure Dell get Windows Licenses for like $4 or something that is less than a cup of over priced coffee over here.

I think a lot of people have to get real IMO.

Reply Score: 1

RE[2]: Comment by shmerl
by shmerl on Thu 22nd Sep 2011 19:23 UTC in reply to "RE: Comment by shmerl"
shmerl Member since:
2010-06-08

> Basically a lot of Laptops and Desktops would not be
> as cheap if they didn't have a Windows License

Completely the opposite. Hardware would be cheaper if not Windows tax.

> If you want to install whatever just do so ... you aren't losing anything.

Except the price of Windows which in general is above $100 in US.

> I am pretty sure Dell get Windows Licenses for like $4 or something

You can't be sure of something Dell never revealed to the public. Indirect methods indicate amounts much bigger than $4 as practice shows.

> I think a lot of people have to get real IMO.

Yes, to be real is to be against monopoly of crooks which MS are.

> Either uninstall it ... which isn't hard.

Microsoft wants to prevent you even from this now with this secured boot nonsense.

Edited 2011-09-22 19:28 UTC

Reply Score: 4

RE[3]: Comment by shmerl
by lucas_maximus on Thu 22nd Sep 2011 19:33 UTC in reply to "RE[2]: Comment by shmerl"
lucas_maximus Member since:
2009-08-18

Many OEMs have said that their hardware is as cheap as it is because of the bundled software and the fact that Microsoft gives them OEM discounts.

It like standard stuff. I usually buy my laptop (which are usually dell) from guys that repackage the OS without the crap or give me install media.

In ever other walk of life ... people getting ripped because they didn't know their shit goes unnoticed ... but in the Computer world ... nerds think it is a holy war.

As I said you guys need to get real about a lot of things ...

Recent Conversation between a Bloke and a Linux fanboy in my office

Bloke - "I bought this on iTunes and my girlfriend can't play it on <other Mp3 player>"
LF - "iTunes has DRM"
Bloke - "??"
LF - "It stops you playing it on other things"
Bloke - "Well that makes sense since it is Apple's make"

Seriously people just expect this. It is exactly the same as Henry hoover bags not working on My cheap ass Argos hoover.

I should have done my research ... luckily my flat is small and I don't hoover often.

BTW hoover in England = Vacuum Cleaner.

Edited 2011-09-22 19:34 UTC

Reply Score: 2

RE[4]: Comment by shmerl
by shmerl on Thu 22nd Sep 2011 19:43 UTC in reply to "RE[3]: Comment by shmerl"
shmerl Member since:
2010-06-08

Brainwashed people can expect that to live behind barbed wires and electrical fences is a norm. Normal people don't expect that, believe me.

Your example is strange. If he expected that to happen, why did he try giving it to his girlfriend? Or was it she asking him? At least one of them is surely normal, intuitively expecting to play the media where they want. I.e. DRM is not a natural thing.

> Many OEMs have said that their hardware is as cheap as
> it is because of the bundled software and the fact
> that Microsoft gives them OEM discounts.

You mean cheaper than if they wouldn't get those discounts (read bribes from MS for them to support MS monopoly). But of course not as cheap as without Windows tax at all.

Reply Score: 3

RE[5]: Comment by shmerl
by lucas_maximus on Thu 22nd Sep 2011 19:53 UTC in reply to "RE[4]: Comment by shmerl"
lucas_maximus Member since:
2009-08-18

Brainwashed people can expect that to live behind barbed wires and electrical fences is a norm. Normal people don't expect that, believe me.


Oh lets not try to make Operating Systems the same as actually enslaving people ... that is mental

Actually Enslaving people is actually horrible in every way imaginable, and comparing that to whether you can choose Windows or Linux to browse the internet ... is just unbelievable.

Your example is strange. If he expected that to happen, why did he try giving it to his girlfriend? Or was it she asking him? At least one of them is surely normal, intuitively expecting to play the media where they want. I.e. DRM is not a natural thing.


It is quite obvious ... he bought a song on an iPod an tried copying to her really cheap mp3 player ... it didn't work .. when it was explained it was because the mp3 was meant to work only on his iPod he said "makes sense"

For him it was like saying "why won't my DVD work in my Cd player"

For the Linux guy it was pretty much a "war" situation for him.


You mean cheaper than if they wouldn't get those discounts (read bribes from MS for them to support MS monopoly). But of course not as cheap as without Windows tax at all.


Bribes ... do you actually think people/companies need to be bribed to support having a decent OS, Linux is a bag of bolts and always have been.

Most software supports Windows ... therefore it is a damn good bet to run Windows if you are supplying computer hardware.

Also the OEM price you see online isn't what they pay, I am a nobody at work and I have asked for discounts from Microsoft, and I just get them... and I don't work for a OEM vendor. I mean I get a discount of VS2010 ultimate of 90% by just calling the right person.

It ultimately depends on who you ask at Microsoft as to whether you get a discount ... it mainly to do with your relationship with the supplier. However with Microsoft you have to be very specific as to what you want from them when trying to get discount.

I asked JetBrains that supply ReSharper for a discount because we are a charity ... as I got 50% off without any haggling. My email was "do you do a discount for charities on the corp version?"

Seriously big companies don't pay what you see online for Microsoft software prices. If I got 50% off by asking nicely, imagine what Dell gets.

Edited 2011-09-22 20:01 UTC

Reply Score: 1

RE[6]: Comment by shmerl
by shmerl on Thu 22nd Sep 2011 20:05 UTC in reply to "RE[5]: Comment by shmerl"
shmerl Member since:
2010-06-08

Whatever they pay, they still inflate the price because of that. I don't really care about how much they pay, I care about having a choice not to be affected by this bundling.

It is quite obvious ... he bought a song on an iPod an tried copying to her really cheap mp3 player ... it didn't work .. when it was explained it was because the mp3 was meant to work only on his iPod he said "makes sense"


You see, you are disproving your own point (which was seriously people just expect this.). He knew it was iPod (i.e. Apple), still he expected to copy the song to other device because it's a natural thing to expect. Only after he started to dwell on it more, he agreed that since it's Apple, that won't work. But normal expectation - it should work. So when it doesn't work - it's not a norm. That was my point.

Edited 2011-09-22 20:06 UTC

Reply Score: 4

RE[7]: Comment by shmerl
by lucas_maximus on Thu 22nd Sep 2011 22:08 UTC in reply to "RE[6]: Comment by shmerl"
lucas_maximus Member since:
2009-08-18

Whatever they pay, they still inflate the price because of that. I don't really care about how much they pay, I care about having a choice not to be affected by this bundling.


No we care about getting shit done.

I explained to you but you ignored that I can get discounts from MS.

It is quite simple ... it works for us. If you don't f--king like that too f--king bad. I don't really care how much you value freedom ... It it called a "deal" and it has been done since the start of time ... get a clue would you.

You see, you are disproving your own point (which was seriously people just expect this.). He knew it was iPod (i.e. Apple), still he expected to copy the song to other device because it's a natural thing to expect. Only after he started to dwell on it more, he agreed that since it's Apple, that won't work. But normal expectation - it should work. So when it doesn't work - it's not a norm. That was my point.


I am not disproving my own point. The point was that nobody unless us geeks really give a shit. He bascially said "oh wait I bought some apple shit and it didn't work with some TESCO shit ... well okay fair enought".

Thus the Hoover example. but you didn't quite catch on.

Edited 2011-09-22 22:13 UTC

Reply Score: 2

RE[4]: Comment by shmerl
by Soulbender on Thu 22nd Sep 2011 20:10 UTC in reply to "RE[3]: Comment by shmerl"
Soulbender Member since:
2005-08-18

Many OEMs have said that their hardware is as cheap as it is because of the bundled software and the fact that Microsoft gives them OEM discounts.


Unless MS actually *pay* them that will still add to the cost. A discounted price is still a cost, it doesn't reduce the cost of your manufacturing and assembly process.
Bundled software could help reducing the price somewhat but then again, I see plenty of cheap hardware that comes with no OS and consequently no bundled apps.

Reply Score: 3

RE[4]: Comment by shmerl
by vitae on Thu 22nd Sep 2011 20:58 UTC in reply to "RE[3]: Comment by shmerl"
vitae Member since:
2006-02-20



BTW hoover in England = Vacuum Cleaner.


lol It's a good thing you added that. You say Hoover, and I immediately think either Herbert or J. Edgar.

Reply Score: 2

RE[2]: Comment by shmerl
by lemur2 on Thu 22nd Sep 2011 23:51 UTC in reply to "RE: Comment by shmerl"
lemur2 Member since:
2007-02-17

Oh not this Window Tax bullshit. Basically a lot of Laptops and Desktops would not be as cheap if they didn't have a Windows License and all the crap ware ... If you don't want the crap ware ... Either uninstall it ... which isn't hard. Or for the cleanest install, download an ISO of the same version of Windows via (Bit torrent) that is installed and do a clean install with your legit key. If you want to install whatever just do so ... you aren't losing anything. I am pretty sure Dell get Windows Licenses for like $4 or something that is less than a cup of over priced coffee over here. I think a lot of people have to get real IMO.


There is a company in my country that advertises a base price for its computers which does not include the price of the OS. AFAIK Pioneer Computers buys component parts from Asian countries and then assembles the computers in Australia. This is the page for its inexpensive Notebook Computers $149-$699
http://pioneercomputers.com.au/products/products.asp?c1=3&c2=12

If you look at the detailed price breakdown of the cheapest Windows 7 machine, you see this:

http://pioneercomputers.com.au/products/configure.asp?c1=3&c2=12&id...

The base price is $349. Any option to have Windows installed will cost extra.

Microsoft Windows XP Professional [+$169]
Microsoft Windows XP Home Edition with Recovery CD [+$39]
Microsoft Windows 7 Home Premium (32/64 Bit) [+$99]
Microsoft Windows 7 Professional (32/64 Bit) [+$169]
Microsoft Windows 7 Ultimate Upgrade/Full Version (64 Bit) [+$199]

There are other options:
Upgrade Windows from 32 bit to 64 bit
Ubuntu Linux OS Pre-loaded. Great freeware.
Multi Boot OS Set up, Up to 4 Operating Systems [+$49]

Ubuntu is the only option for which you can buy the machine at its base price of $349. Ubuntu comes with LibreOffice installed, BTW. Every option for Windows comes with a Windows tax. The minimum Windows 7 tax is $99, the full version Windows 7 tax is $199. Microsoft Office 2010 Home and Business Edition is +$253.

A machine with Windows 7 Home Premium plus Microsoft Office 2010 Home and Business Edition, offering almost the same level of functionality as the Ubuntu option at $349, would cost an additional $352. It would cost $701 total for the Windows 7 Home Premium + Microsoft Office 2010 Home and Business Edition, compared to the base price of $349.

More than twice the price.

Microsoft wanting to put UEFI secure boot into OEM ROMs would mean that Pioneer Computers could not offer its customers the inexpensive option (the $349 Ubuntu option, without any Windows tax).

Edited 2011-09-23 00:10 UTC

Reply Score: 3

Very disappointing
by obsidian on Thu 22nd Sep 2011 22:17 UTC
obsidian
Member since:
2007-05-12

It's very disappointing (but not surprising), the way that Windows 8 is shaping up.

The secure boot thing. The "only apps from the Windows Store" thing.
( Thom mentions that he's "fairly sure the relevant registry key" (to bypass installing apps via the store) "will be easily toggled for us geeks."
Hopefully so, but I wonder how long that access would last. Not long at all, I'm thinking. It'd be very easily removed by MS, should the mood take them.

When I first saw the look and feel of Windows 8, I was *really* interested (and this from a Linuxhead).
It looked really nice, really clean. Sadly, MS seem to be reverting to their old ways, with the "secure boot" and Windows store stuff. That has **completely** killed my interest in Windows 8.

Edited 2011-09-22 22:26 UTC

Reply Score: 3

None Should Be Shocked.
by Pelly on Fri 23rd Sep 2011 00:38 UTC
Pelly
Member since:
2005-07-07

None of us should be shocked by this development.

This is nothing short of hijacking your computer hardware in an attempt to prevent users from using anything but future versions of Windows.

There is a work-around. While not the best, it is an option. If/when this lock-down is fully implemented, I can envision people purchasing additional hard drives (or flash drives) for laptops and mobile devices that allow quick remove-replacement of storage media.

The bothersome part of this situation is h/w ownership. Imagine purchasing an oven. Now imagine its impossible to cook anything but beef and pies of a particular store in that oven (it's an abstract example, so just work with me here). You didn't know this at the time and the oven came with steaks and pies from, "Bill's Beef & Pies." Now that you have your oven in your house, you've enjoyed some steaks & pies that came with it. Now you want to cook a chicken dinner for your family because chickens are free and you've heard that they're really good (friends & coworkers are always raving how they love chickens because there are so many recipes for them). The oven fails to turn on since it isn't beef (from Bill's) in the oven. You call the store and they finally tell you that the oven only works for beef and pies from Bill's Store; nothing else will allow the oven to turn on.

Would you put up with that? Of course not.

The alternative is to have two ovens. One for pies & beef from Bill's Store and another for everything else.

Reply Score: 1

RE: None Should Be Shocked.
by n4cer on Fri 23rd Sep 2011 01:25 UTC in reply to "None Should Be Shocked."
n4cer Member since:
2005-07-06

But for similar FUD at the introduction of TPM, all should be shocked at the massive amount of FUD brought about by an OS vendor utilizing a firmware standard to help guard against rootkits.

http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os...

Edited 2011-09-23 01:32 UTC

Reply Score: 2

RE: None Should Be Shocked.
by Alfman on Fri 23rd Sep 2011 01:39 UTC in reply to "None Should Be Shocked."
Alfman Member since:
2011-01-28

Pelly,


"Imagine purchasing an oven. Now imagine its impossible to cook anything but beef and pies of a particular store in that oven...Would you put up with that? Of course not."

It's a silly little example. But you know what, if Bill Gates had a monopoly on cattle and that's all the major stores sold, then it's entirely possible that consumers would end up buying ovens that are designed exclusively for Bill's goods.

Consumers wouldn't consider any other ovens because none of them can cook Bill's Beef which they have to order in stores.

...Now back to reality...

Reply Score: 1

RE[2]: None Should Be Shocked.
by lemur2 on Fri 23rd Sep 2011 01:57 UTC in reply to "RE: None Should Be Shocked."
lemur2 Member since:
2007-02-17

Pelly, "Imagine purchasing an oven. Now imagine its impossible to cook anything but beef and pies of a particular store in that oven...Would you put up with that? Of course not." It's a silly little example. But you know what, if Bill Gates had a monopoly on cattle and that's all the major stores sold, then it's entirely possible that consumers would end up buying ovens that are designed exclusively for Bill's goods. Consumers wouldn't consider any other ovens because none of them can cook Bill's Beef which they have to order in stores. ...Now back to reality...


I don't want to eat Bill's beef, it makes me sick. I read that there are hundreds of millions of cases worldwide where other people have become sick from eating Bill's Beef.

The Bill's Beef cookers break down all the time, they are horribly slow, and normally they are covered in obnoxious advertising, and the cheapest ones cost twice as much as they should.

Fortunately, I can buy ovens that will cook a wonderful array of other nutritious meals, unlike Bill's Beef ovens, which won't even turn on if I try to cook my meals in such ovens.

Because Bill's Beef has outrageous control of the market, I have to dig around to find an alternative oven, but I can do it.

You can bet your bottom dollar that I am going to loudly protest if Bill's Beef Company tries to take my other oven options off the market. I won't stand for such bulls**t.

Edited 2011-09-23 01:59 UTC

Reply Score: 4

RE: Apparently its just an option.
by lemur2 on Fri 23rd Sep 2011 01:41 UTC in reply to "Apparently its just an option."
lemur2 Member since:
2007-02-17



It is an "option" that OEMs are required to include if the OEMs wish to put a "designed for Windows 8" sticker on their hardware.

No UEFI Secure boot, no "designed for Windows 8" sticker.

Optional. Sure.

Reply Score: 3

shmerl Member since:
2010-06-08

+1. Microsoft tries to wash hands as usual. Same garbage argument as in case of Windows tax, when MS says that manufacturers aren't forced to bundle anything, and if they do - refund can be claimed. In reality not only the vast majority bundle - to get a refund is close to impossible in most cases.

Same thing here. Microsoft will claim that OEM can give an option to disable the "secured" boot, but in reality OEMs won't do it and there will be no normal way for users to do it.

Edited 2011-09-23 04:18 UTC

Reply Score: 3

It's For Your Own Good!
by benali72 on Fri 23rd Sep 2011 04:53 UTC
benali72
Member since:
2008-05-03

Malware stats from groups like McAfee make clear bootloader attacks are rare. Security issues occur AFTER you're in Windows, not outside of Windows.

According to MS's blog post -- "Who is in control? At the end of the day, the customer is in control of their PC."

Baloney.

(See MS blog post here -- https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os...)

Reply Score: 2

RE: It's For Your Own Good!
by shmerl on Fri 23rd Sep 2011 05:14 UTC in reply to "It's For Your Own Good!"
shmerl Member since:
2010-06-08

They say the truth in the same post (they can't easily say outright lies), but they obscure it with tons of demagogy.

They write:

OEMs are free to choose how to enable this support

That's it. It means OEMs are in control, and not users. And Microsoft is happy to control OEMs as they already do - with rebates and other similar stuff.

Edited 2011-09-23 05:15 UTC

Reply Score: 3

RE: It's For Your Own Good!
by shmerl on Fri 23rd Sep 2011 15:11 UTC in reply to "It's For Your Own Good!"
shmerl Member since:
2010-06-08

Heh, that MSDN blog censors out comments which prove how ridiculous their arguments are. Somehow I didn't expect from MS anything better anyway.

Reply Score: 2

foregam
Member since:
2010-11-17

<removed, duplicate link>

Edited 2011-09-23 09:09 UTC

Reply Score: 1

Everybody chill out.
by tidux on Fri 23rd Sep 2011 15:42 UTC
tidux
Member since:
2011-08-13

http://www.coreboot.org/

There's no way they can stop you from running Coreboot on compatible motherboards without preventing themselves from pushing BIOS/UEFI updates.

Reply Score: 1

AmigaONE 500 / X1000
by bugjacobs on Fri 23rd Sep 2011 16:29 UTC
bugjacobs
Member since:
2009-01-03

Maybe the AmigaONE / ARESONE computers suddenly become more interesting :-)

Reply Score: 1

Am I the only one
by kurkosdr on Fri 23rd Sep 2011 20:43 UTC
kurkosdr
Member since:
2011-04-11

Am i the only one wishing right now that all evolution in the IT industry stopped, and no new equipment is produced anymore?

Mandatory secure boot, Cinavia, DRM in games that requires an always on internet connection, movies that can be “licensed“ through streaming services but not bought, plus whatever else the corps think of next.

The only hope is that there will be a major backlash by consumers and a turn towards open devices, like the turn to USB hardware media players that happened after Bluray players and the PS3 got infected with Cinavia. In plain english, users will be divided between the free world (users running open devices) and the enslaved world (users running locked devices). Trust me.

Reply Score: 2