Linked by Thom Holwerda on Tue 18th Oct 2011 21:03 UTC, submitted by Dirge
GNU, GPL, Open Source "The Free Software Foundation released a statement open for public signing, titled 'Stand up for your freedom to install free software'. The statement is a response to Microsoft's announcement that if computer makers wish to distribute machines with the Windows 8 compatibility logo, they must implement a system called 'Secure Boot'. The FSF statement warns against the danger that, if done wrong, this system would have to be called Restricted Boot, because it could make computers incapable of running anything but Windows." Signed.
Thread beginning with comment 493415
To view parent comment, click here.
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

f0dder,

"After a long hiatus, MBR based rootkits are semi-slowly starting to appear again."

Your missing the key piece though, the system will have been infected through another vulnerability in the first place - secure boot does NOT fix that!!!

And in any case, we're not arguing against secure booting, that's a total red herring. We're arguing against a security feature a 3rd party holds the keys to. I don't mind that a 3rd party holds the keys by default - but to be a legitimate security feature the spec would have to provide an explicit method for the owner to take control and stop trusting microsoft/vendor.

Reply Parent Score: 4

f0dder Member since:
2009-08-05

Your missing the key piece though, the system will have been infected through another vulnerability in the first place - secure boot does NOT fix that!!!
It doesn't stop the "buggy OS" attack vector - that much I agree on. But it can plug the "hotel cleaning maid installs industrial spionage rootkit on laptop with bootcd" attack vector. Or the "disgruntled employee exfiltrates corporate data from otherwise locked-down system" attack vector.

We're arguing against a security feature a 3rd party holds the keys to. I don't mind that a 3rd party holds the keys by default - but to be a legitimate security feature the spec would have to provide an explicit method for the owner to take control and stop trusting microsoft/vendor.
Agree 100% - the UEFI key management needs to remain under our control.

Reply Parent Score: 1

jabbotts Member since:
2007-09-06

I get the evil maid attack vector; more easily solved by putting one's boot loader on removable media attached to your keychain but sure, a secured boot process does mitigate modifying the boot process (I just question Microsoft's intended implementation).

But a disgrunteled employee? How does a Microsoft certified secure boot process stop an employee from walking data out of the building in any of a hundred other methods? Why would an employee use a modified boot process in the first place? "to get other's passwords" doesn't even make sense given the low cost and skill needed to operate a physical keylogger. What disgruntelled employee is being foiled by Microsoft authorizing the booting of my workstation?

Reply Parent Score: 4