Well, it's not hard to disable SB. It's in the manual too.
Plus, I don't see the average user wanting to try a different OS. And if he does, he'll probably try ubuntu, and it will probably boot without problems. Distos can also give instructions on how to disable SB.

Well, if you mean the price with Windows included, then yes, it might be more expensive. But then again, there's plenty of stuff that is cheaper when bought together with something else.
If you find a OEM shipping without the ability to disable SB, take your PC back and choose one that doesn't. If everyone had this attitude, this problem would vanish. Don't blame Microsoft for trying to make money with or without ethics.

You can't break DRM in any other OS either as much as you can't in Windows. You can't modify photoshop, premiere, final cut, call of duty, macos, symbian os, and many more either! Guess what; people have been complaining a lot about not being able to influence Gnome development either! You also can't modify the license of GPL source code either, unless you're the owner.

Corporations are ran by people who make choices, and those choices are conditioned by something: the law. In this specific case, Microsoft is not breaking any law.

Comparing people to nature is as stupid as comparing crocodiles to nature: it isn't stupid!
People are part of nature, and as such they will try to walk over the others to get what they want. Now, we're rational people and we've established systems to regulate what people do. And if someone does something wrong while still being able to fulfill the system's requirements, it's the system that must be corrected, not the people.

Ok, now let's read a little more than just the title: "The Hispalinux Spanish Linux association has filed a complaint against Microsoft with the European Union over the UEFI SecureBoot. "
Please remember that you're reading a news website. Titles are rarely the entire truth.


I fully agree with you here. And fighting Microsoft will help how exactly? Even if the complain is accepted and Microsoft loses in court, it will only solve the problem until someone else does the same. What you just said here should be a law, not a fight against Microsoft.



You're contradicting yourself. First you say that no default keys should be provided, then you say it's too difficult for the average user to add/remove keys. The default keys are provided for convenience. You may delete them if you wish.

I agree that the system may not be the easiest thing on earth, but I don't know how they could do it better... If you do, please say so.

Long story even shorter: You're not able to argue honestly, so you come up with this intellectually dishonest strawman fantasy that you're using to discredit the opposition.


#1 - you make unfounded assertions about the reasons of my objections against SB - ignoring any of the valid reasons for objecting it that I have presented in this thread.

#2 - you attempt to portray my objection of SB as some kind of irrational crusade against microsoft, despite not having any evidence or basis for such characterization.

#3 - you make further assumptions about a totally irrelevant hypothetical scenario and my behaviour in said scenario.


In other words, all your claims are entirely baseless and unfounded, yet you attempt to imply that it is me who is acting irrationally. If you have any valid counterarguments against my actual points, present them - otherwise, shut the fuck up and stop wasting my (and everyone else's) time.

I don't even need to do that because you are the one who has proven himself to be too obstinate to listen to logic. Every single last allegation or claim you cooked up in the previous pages have been soundly and utterly debunked by Matthew himself, the writer of the shim loader that is being used by Ubuntu, OpenSUSE and Fedora to boot Linux with SB enabled.

You made wild allegations about Microsoft distributing keys when Microsoft NEVER distributes keys.

You conveniently ignored the fact that users CAN and HAVE the ability to enroll their own user-generated keys into the UEFI key lists. Mathhew and Bottomley have ALREADY published extensive information on this in their blogs.

You conveniently ignored the fact that abused keys can be shut down by Microsoft, OpenSUSE, Fedora, Ubuntu since they are within the circle of trust with regards to signing., and also ignored Matthew's report that SB keys are NOT obsfucated, just plain RSA keys.

You made a wild claim that Verisign is in Microsoft's pocket when their only job is to validate the requester's identity, NOT to sign the keys.

You made a wild claim that Microsoft is against signing FOSS binaries just because they refuse to sign GPLv3-licensed binaries when they have clearly demonstrated that they are perfectly fine with signing GPLv2 binaries. You conveniently ignored the facts once again that Microsoft is simply adverse to GPLv3. Matthew himself pointed out this fact explicitely.

You made a ridiculous claim of fact that anybody can grab hold of Red Hat's and the LF's keys when those keys are not even distributed, period. All that is distributed is a signed binary, NOT the signing key.

Every last word I have discussed in this topic can be backed up by Bottomley, Matthew AND Microsoft, the first 2 of which are authorities on this whole hoo-ha with SB support for Linux. YOU, on the other hand, have nothing to back your claims other than the tired 'Microsoft-has-screwed-people-over-before-so-they-will-do-it-again-with-SB' paranoia.

You have proven that you have no qualms about lying your way through when the black-and-white facts have already been thrown against your face just to justify your crusade against Microsoft and you still can accuse me of spouting nonsense when I call your bluff. Who's the one making up points and spreading FUD now?

EDIT: Congratulations, you are the second person to have actually succeeded in making me lose my cool over a single forum post. Achievement unlocked.

I'm not a hacker but from the informations here I think about the following:

1) Write some malicious software which simply modifies the hosts file so the address for microsofts update server points to another (your own / a compromised) one.
2) Wait for windows to start the next automated update.
3) Now do a man-in-the-middle attack and when it goes to updating UEFI keys tell the microsoft key has been compromised and must be replaced. Give your own key (signed with the tools some guys use (someone in this thread wrote about it) or pay $99).
4) While doing the regular update also give a compromised update for the MBR (or whatever UEFI boots from) signed with the key from 3).

What would stop a hacker from doing this to compromise your "secure" boot?

It's not hard to disable SB for someone like you or me. It is hard for the average wanker. The guy who runs distrowatch recently did a report about a computer that had SB - a HP computer, so a well known brand even. It was difficult to even get to the UEFI settings - there's no instructions during the boot sequence on getting to the settings, no information in the manual, he was forced to guess his way there. Even most BIOSes let you know during boot sequence which key to press to access settings. With this UEFI, nothing.

Next thing, when you go to UEFI to disable secure boot, you get a warning in cat-sized blinking red letters warning you about potentially dooming all mankind to oblivion if you disable secure boot - but hey, it's your choice. When the average wanker sees something like this, they panic and forget all about it. Don't tell me that you believe for a second this isn't by design.

It isn't any better that people can try Ubuntu but not other distros. This just creates a competitive advantage for Ubuntu against other distros. Distros that don't want any part in sucking microsoft dick are at an instant disadvantage. So it's just another vector for microsoft exerting control over the linux world.

Yes I blame microsoft. Why are we treating unethical behaviour by corporations as a given? Since when did it become so inevitable that corporations misbehave that we just take it for granted, shrug and move on our way? Luckily there are people who aren't so complacent with "the way things just are" and are trying to do something about it.

And it isn't about the ability to disable it. I mean that's not enough. We need to demand it to be opt-in and not tied in to one corporations trust model - when that corporation has all the incentive to abuse that position of power for their own gain. It's like appointing the fox to guard the chicken coop.

That's irrelevant. Why should I be able to modify the license of GPL software, or why would I ever want to? It's a total non-issue. I can fork a GPL software and make whatever modifications I want. The GPL simply protects it from being closed down. GNOME is actually a great example. People complain about GNOME development, but they don't have to just complain, and some don't - some of them have forked GNOME to make it the way they want. And that's great and it's allowed.

Windows has DRM coded right into the OS. You can't modify the behaviour of windows - you can't even change such basic things as the desktop environment. It's a totally closed system.

You're an expert on law, I take it? You're intimately familiar with laws both international and all the particular jurisdictions microsoft operates in? Or what exactly do you base this assertion on? Microsoft has been known to break laws plenty of times in the past, and has been held accountable for it before. This is just one more case to add to that list.

Just because you want to think some thing should be legal, doesn't mean it is.

Yes it is stupid. You can hold people accountable for their actions. You cannot hold nature accountable for what wild animals, plants or such do. Haven't you ever read Moby dick?

Yes, and? That's exactly what they should do. Microsoft must be held accountable for its actions. Microsoft is responsible for "secure" boot and holds control over it.

The existence of a ultimate cause does not preclude addressing the proximate cause.

In this case, the ultimate cause is that the law allows this kind of locking of hardware. The proximate cause is microsoft. We can address the proximate cause, the more immediate issue, now. That's a good first step. If we succeed it will be easier to address the ultimate cause.

I'm contradicting nothing. I specified two points - 1, no default keys, only accept user-generated keys, and 2, the feature is opt-in, ie. disabled by default. The average user wouldn't need to worry about it since the feature would be opt-in. Only the ones who care about and need the extra security can implement the function.

For that matter, the signing process and the registering of the generated keys could easily be automated to the point that the user would just need to follow a few simple wizards - since UEFI can be accessed from inside the OS, this can all be done in the OS, with an easy GUI. But this would make way too much sense and it would give the user too much control - so, not suitable for microsoft.

I already did, many times now.


See, the whole "secure" boot thing is just microsoft wanting to get users used to microsoft controlling their hardware. Look up "trusted computing" and "palladium", then you will understand what is behind all this. Microsoft is the main driver behind "trusted computing" - they want absolute control over your hardware. It's just that there'd be a backlash if they tried implementing it all at once, so they ostentatiously put it on hold, and instead are going with the approach of getting users used to it little by little. It's the recipe for building a controlled society: if you implement big brother-style monitoring and control all at once, people will rebel, but nibble away people's freedoms a bit at a time, and no one will notice - each step seems too small to protest about, until the end result is that we've all lost all our freedoms.

As long as we're appealing to authority, Linus himself has said secure boot does not improve security and is pointless the way it is implemented.

Microsoft decides who gets the keys. Same diff.

I ignore nothing. Doesn't really matter as it is not a realistic thing to expect from the average user who just wants to try some other OS.

Hooray, so there are three distros kissing MS ass and enabling their behaviour. Circle of trust? Rather, a circle-jerk of trust - and you can be sure it won't be microsoft that ends up eating the cookie...

Seriously, I don't really want Canonical, Redhat or OpenSUSE controlling my hardware either.

Doesn't really matter. We all know it's microsoft that controls who gets signed and who doesn't. Microsoft decides the qualifications, and has veto power over signing.

Yes, just the most commonly used bootloader in the linux world is GPLv3-licensed. No coincidence there. Microsoft is adverse to GPLv3 because they're adverse to freedom.

I haven't made such a claim. But anyone can pick up Red hat's or LF's bootloader, and those bootloaders (at least LF's) can be used to bootload anything. This type of single-source-of-trust model simply isn't compatible with free software where anyone can modify their kernels.

More appeals to authority? Ok. Let me just remind you then, that a definition of insanity is doing the same thing over and over, and expecting different results. Plenty of people have trusted microsoft, and every time they have gotten burned by it - the history is full of examples. But now you say they have changed their evil ways and we should (again) give them another chance... ok, feel free to put your trust in microsoft if you wish, but don't force that decision on others.

I accuse people of spouting nonsense when they do so. You are still spouting nonsense. You think we should just bend over and accept microsoft's control over our hardware and software, when it's clear that trusting microsoft is the most stupid thing anyone can do - just look at Nokia, they trusted microsoft, and look where it got them... why should we trust microsoft when they constantly attack Linux and other free software with software patents? When they are trying to artificially inflate the cost of using Linux in order to be competitive with it? When they are trying to exert control over the development of Linux?

No need for congratulations, it was pretty easy, after all.

You're right, with enough time and processing power it can be done. Current estimates are that if you had an incredible amount of computing power available you might be able to break the key by 2030. At which point everyone can just migrate to a new key without even requiring a firmware update.

The Linux Foundation have already provided their general bootloader. Please do demonstrate how it could be used to launch malware.

Time taken to generate a 2048-bit RSA key: significantly less than a second
Time taken to crack a 2048-bit RSA key: Over 15 years

More exclamation marks don't make it more true.

Ok so far.

Which will fail because the SSL certificate will fail to validate. But even if it succeeded...

No. You never receive a signing key (Microsoft keep that), and it doesn't matter, anyway - the key used to sign blacklist/whitelist updates is completely different.

And, as a result, this won't work.

Cryptography.

His example may not have been the most technically sound, but in some way or another it's going to be hacked. It'll probably be in some way that the Secureboot developers never even thought of.

You keep saying that. And, like I said, specific implementations may well be hacked. But I have not found a single actual security expert who believes that it's fundamentally broken.