Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil
Windows After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Thread beginning with comment 490283
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Comment by ronaldst
by lemur2 on Wed 21st Sep 2011 23:33 UTC in reply to "Comment by ronaldst"
lemur2
Member since:
2007-02-17

"I have a hard time believing the combined power of Apple and Microsoft - both strong supporters of these kinds of anti-user features" Can't tell if trolling... Anti-user? That doesn't even compute.


"Anti-user" is any feature that is part of a product that is there only because it benefits the vendor, not the user.

http://en.wikipedia.org/wiki/Damaged_good

"In economics, a damaged good (sometimes termed "crippleware" or product with "anti-features") is a good that has been deliberately limited in performance, quality or utility, typically for marketing reasons as part of a strategy of product differentiation."

Microsoft's "Geuniune Advantage" euphamism is an absolute classic example. This did absolutely nothing for users except lock some of them out and require some people to purchase new copies of software they had already bought.

Here is another example of a different flavour:
http://www.osnews.com/comments/25175

Microsoft's "Windows 7 Starter" is a similar (although not as drastic) example where Microsoft take a reasonable OS and then go out of their way to cripple it. It actually costs Microsoft more to produce such a version which has the express aim to give users less functionality.

Anti-user. QED.

Edited 2011-09-21 23:39 UTC

Reply Parent Score: 12

RE[2]: Comment by ronaldst
by Brendan on Thu 22nd Sep 2011 02:29 in reply to "RE: Comment by ronaldst"
Brendan Member since:
2005-11-16

Hi,

Anti-user. QED.


Whether or not it's anti-user depends on who has the keys.

If the owner of the computer (e.g. the end-user) has full control over which keys are installed, then it's a "pro-user" feature as it allows them to run any OS they like while also making it hard for things like boot-time rootkits and viruses; and may possibly even help to prevent theft (e.g. if your laptop gets stolen, then maybe nobody will be able to access your data without your password; even if they attempt to replace the OS). This is the best case scenario - a scenario where (for e.g.) Linux could also use secure boot to benefit the end user.

If the owner of the computer (e.g. the end-user) doesn't have any control over which OSs are allowed and which aren't, then it's anti-user (and I'll be boycotting and recommending everyone else does too).

It's worth pointing out that "UEFI Secure Boot" could be used either way - to benefit the owner/user, or in spite of the owner/user. I'm hoping it will be used in a good way (e.g. to avoid the need for a layer of "DeepSAFE" McAfee bloat) and not in a bad way.

- Brendan

Reply Parent Score: 6

RE[3]: Comment by ronaldst
by lemur2 on Thu 22nd Sep 2011 03:11 in reply to "RE[2]: Comment by ronaldst"
lemur2 Member since:
2007-02-17

Hi, "Anti-user. QED.
Whether or not it's anti-user depends on who has the keys. If the owner of the computer (e.g. the end-user) has full control over which keys are installed, then it's a "pro-user" feature as it allows them to run any OS they like while also making it hard for things like boot-time rootkits and viruses; and may possibly even help to prevent theft (e.g. if your laptop gets stolen, then maybe nobody will be able to access your data without your password; even if they attempt to replace the OS). This is the best case scenario - a scenario where (for e.g.) Linux could also use secure boot to benefit the end user. If the owner of the computer (e.g. the end-user) doesn't have any control over which OSs are allowed and which aren't, then it's anti-user (and I'll be boycotting and recommending everyone else does too). It's worth pointing out that "UEFI Secure Boot" could be used either way - to benefit the owner/user, or in spite of the owner/user. I'm hoping it will be used in a good way (e.g. to avoid the need for a layer of "DeepSAFE" McAfee bloat) and not in a bad way. - Brendan "

My post made no claim if UEFI Secure Boot was or was not an "anti-user" feature.

The author of the lead article, kragil, introduced the term "anti-user" with these paragraphs:

"For now, it's hard to tell if this secure boot thing will be an option we can turn off, or if OEMs will - like they do with BIOS features all the damn time - disable the option of turning it off. In any case, I must say that I'm very, very worried that the horrible, anti-user situation of smartphones will permeate into the world of desktop and laptop computers.

The problem here is that governments the world over will be filled with glee over the fact that we would no longer be able to run the software of our choosing - at least, not easily. This means more control, something the, for instance, entertainment industry will love to death. I mean, someone has to think of the children.

I have a hard time believing the combined power of Apple and Microsoft - both strong supporters of these kinds of anti-user features - will not be able to convince and buy governments the world over into not doing anything about this.

It would appear that despite his extremist views over the years, Richard Stallman is more and more starting to look like a true visionary. The fact that he had the foresight to think about hypothetical issues like this decades ago is pretty remarkable."


My post was intended only to explain what was meant by the term "anti-user". It is not a term that "does not compute".

FWIW, I think the original article was actually a pretty decent clue as to what was meant by the term, and what was wrong (from a user's perspective) with UEFI secure boot, but there you go.

BTW, the whole concept of UEFI secure boot is defeated if ordinary users have keys. If ordinary users have keys, rootkit authors will have keys also.

http://www.osnews.com/permalink?490295

Edited 2011-09-22 03:18 UTC

Reply Parent Score: 3

RE[3]: Comment by ronaldst
by Alfman on Thu 22nd Sep 2011 04:53 in reply to "RE[2]: Comment by ronaldst"
Alfman Member since:
2011-01-28

Brenden,

"Whether or not it's anti-user depends on who has the keys."

Precisely.

Some people here are assuming that the keys must be hard coded into the bios such that only operating systems approved by the vendors can be run. I really don't know if that is the intentions of UEFI secure boot or not...if it is, well users are screwed. Not only won't we have control, but now the security of our own computers becomes dependent upon third parties who control the master keys.

Ideally this feature should be designed to work for users rather than against us. All keys could be manageable through the bios on powerup, and then remain locked after boot so they cannot be tampered with later on. Then we could use our own individual/corporate key to sign the keys of whichever OS vendors we want to trust on our computers or lans.

Of course, for normal users, this would all be setup at the factory...but at least the control over which operating systems are allowed to run lies with us as users rather than the manufacturer or microsoft.


Also there is another risk, that even if users can manage their own keys, a powerful vendor might coerce users to delete keys of it's competitors in order to load itself. Therefor I'd hope that this feature is designed in such a way that the list of approved keys can be kept secret from discriminatory operating systems.

Reply Parent Score: 5

RE[3]: Comment by ronaldst
by amadensor on Thu 22nd Sep 2011 19:05 in reply to "RE[2]: Comment by ronaldst"
amadensor Member since:
2006-04-10

Solution: Create a non-free, open source signed bootable CD whose only function is to insert new keys into the UEFI. That one CD can be signed, and each machine owner can generate their own private key (easily automated) and as part of the install process, the software is signed with the key specific to that person, no keys public to leak, and yet everyone has the keys needed to modify the hardware and hopefully this can comply with GPL3.

Install goes like this:

1: Run special key maker CD, which inserts the key into the chip and puts it on a flash drive.

2: Run the installer which grabs the key from the flash drive and signs the install.

3: Pull out the USB drive so that malware can't grab it.

When you want to tweak the boot loader, or install something that needs to be signed, you plug in the flash drive just during that install's signing process. Physical security to reduce the window of opportunity for malware to get your key.

Reply Parent Score: 1