Announcement

Collapse
No announcement yet.

Linux Group Files Complaint With EU Over SecureBoot

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by johnc View Post
    Microsoft should have every right to secure their systems as they see fit. This endless whining over SecureBoot is getting ridiculous.
    Not a chance. End user has to have the rights to do whatever he wants with his computer. M$ can eat dirt if they want, but nothing more.

    Comment


    • #12
      Originally posted by brosis View Post
      Microsoft console, yes.

      Personal computer - NO.



      There two things that you are overlooking.

      1) Its personal computer. Personal computer means it is illegal to establish monopoly or vendor lock-in.
      2) UEFI secure boot does NOT allow YOU to secure YOUR system against people trying to break in YOUR system.
      UEFI secure boot allows PEOPLE to secure THEIR system from YOU, the buyer and user.
      This is complete nonsense, and factually incorrect. Please stop spreading FUD, you are completely wrong here.

      Comment


      • #13
        Originally posted by duby229 View Post
        There have been boot viruses for decades. Secureboot isnt going to fix that. The -only- thing that it effectively did was grow a hacker community to target it. Before Secureboot it was a small purpose focused community, but now it is a larger and growing community targeting specifically Secureboot. The risk is greater now than it has ever been -because- of it.

        You know that old saying about the bullseye.... The point of the game is to hit the bullseye.... The game is about notoriety and Secureboot is an awful lucrative bullseye.
        People confuse secure boot with "my system is safe", which is not what it intends to do. Secure boot will not prevent viruses, or people pwning your system.

        But it does cause your system to stop operating in case the system has been found to be compromised (unless, as you point out, the firmware itself, or secure boot is compromised). UEFI Secure Boot will certainly help to protect against boot sector exploits (not to mention that EUFI basically does away with the MBR magic).

        Comment


        • #14
          Originally posted by sofar View Post
          People confuse secure boot with "my system is safe", which is not what it intends to do. Secure boot will not prevent viruses, or people pwning your system.

          But it does cause your system to stop operating in case the system has been found to be compromised (unless, as you point out, the firmware itself, or secure boot is compromised). UEFI Secure Boot will certainly help to protect against boot sector exploits (not to mention that EUFI basically does away with the MBR magic).
          No it was intended to be a vendor lock-in mechanism with the excuse that it would prevent unprotected code from booting. If MS had simply admitted what it was instead of making up an excuse for its existence I doubt it would be as heavily targeted today as it is.

          MS created the excuse and now it is only a matter of time until secureboot is completely compromised with the largest selection of boot viruses the world has ever seen. It would -not- have happened if secureboot never existed. This means that the next generation of viruses are going to be largely OS agnostic. They wont need an OS to function.

          MS is just completely retarded. Everything they do blows up. This isnt going to be any different.
          Last edited by duby229; 26 March 2013, 06:51 PM.

          Comment


          • #15
            Originally posted by frign View Post
            Thanks for your statement.
            The last time I checked, I saw Intel actually being part of the SecureBoot-interest-group, but I may be wrong.
            I have not yet heard from something like that.

            Intel is one of the companies working on UEFI, and therefore UEFI Secure Boot. As I said, ARM Secure Boot is something completely different as far as I know.

            Originally posted by frign View Post
            I may choose not to buy ARM hardware with enabled SecureBoot, but what kind of agenda is this? There is a market to lose, a big potential to bring GNU/Linux to the masses and fighting what we called a monopoly a few years ago before everyone seemingly forgot what that is.
            SecureBoot is not securing your system, it is just luring you into a state of being locked to a certain operating system, as only a minority of attacks are focused on actually manipulating the bootloader or MBR.

            What does this lead to?
            Using Windows 8 imposes all risks of the last years. You will be target of all major virus-authors and be forced to use anti-virus software, because they may have "secured" the booting-process, but they did not get around fixing the actual operating system properly!
            We had this same discussion years ago with IE and fortunately, the fight was won.
            We have this discussion today regarding an even more sensitive topic (switching to FF is easier than unlocking your hardware or even buying new one in case of ARM) and I am afraid most users might not even care.
            UEFI Secure Boot has nothing to do with Windows 8, which is what gets people confused.

            I've called "UEFI Secure Boot" by a more descriptive name before: "UEFI Validated Boot". In effect, your system isn't secure at all, but at least parts of the boot sequence were *validated* during the boot process. Consequences are:

            - something modifies kernel code during boot? you're pwned
            - something runs in unprivileged mode? you're pwned
            - something modifies your kernel file? you won't be able to boot
            - something attempts to upload a trojan driver? you won't be able to boot or possibly load that driver

            Second, NOTHING, absolutely NOTHING prevents a hardware vendor from shipping a system with UEFI Secure Boot enabled with e.g. Linux and NO Microsoft keys, and instead their own keys or someone elses keys. (hell, YOU can even do this).

            (again, I'm not talking about ARM here)

            Comment


            • #16
              UEFI/secureboot is complete vendor lock-in crap.
              I've been using computers for decades, and I program for a living. I like to think that I know my way around a computer.
              I still had to follow a guide + it took about 2 hours just to get windows 8 off my laptop and linux onto it. I had to actually disable UEFI and fallback to legacy BIOS because I couldn't install anything else.

              Absolutely ridiculous.

              Comment


              • #17
                Originally posted by duby229 View Post
                No it was intended to be a vendor lock-in mechanism with the excuse that it would prevent unprotected code from booting. If MS had simply admitted what it was instead of making up an excuse for its existence I doubt it would be as heavily targeted today as it is.

                MS created the excuse and now it is only a matter of time until secureboot is completely compromised with the largest selection of boot viruses the world has ever seen. It would -not- have happened if secureboot never existed. This means that the next generation of viruses are going to be largely OS agnostic. They wont need an OS to function.

                MS is just completely retarded. Everything they do blows up. This isnt going to be any different.
                This is just speculation. Nothing more. You're not helping.

                Comment


                • #18
                  Originally posted by peppercats View Post
                  UEFI/secureboot is complete vendor lock-in crap.
                  I've been using computers for decades, and I program for a living. I like to think that I know my way around a computer.
                  I still had to follow a guide + it took about 2 hours just to get windows 8 off my laptop and linux onto it. I had to actually disable UEFI and fallback to legacy BIOS because I couldn't install anything else.

                  Absolutely ridiculous.
                  I'm sure this is a legitimate complaint. There will be many users with this problem. Bottom line is that you succeeded.

                  What system was this? Did the vendor provide documentation to you? Did you contact the vendor support line?

                  Comment


                  • #19
                    Originally posted by sofar View Post
                    I have not yet heard from something like that.

                    Intel is one of the companies working on UEFI, and therefore UEFI Secure Boot. As I said, ARM Secure Boot is something completely different as far as I know.



                    UEFI Secure Boot has nothing to do with Windows 8, which is what gets people confused.

                    I've called "UEFI Secure Boot" by a more descriptive name before: "UEFI Validated Boot". In effect, your system isn't secure at all, but at least parts of the boot sequence were *validated* during the boot process. Consequences are:

                    - something modifies kernel code during boot? you're pwned
                    - something runs in unprivileged mode? you're pwned
                    - something modifies your kernel file? you won't be able to boot
                    - something attempts to upload a trojan driver? you won't be able to boot or possibly load that driver

                    Second, NOTHING, absolutely NOTHING prevents a hardware vendor from shipping a system with UEFI Secure Boot enabled with e.g. Linux and NO Microsoft keys, and instead their own keys or someone elses keys. (hell, YOU can even do this).

                    (again, I'm not talking about ARM here)

                    Except that it is MS that issues keys. If I can use... say Redhats key (that was issued from MS).... for a livedvd that I publish, what would prevent a bootloader virus from using the exact same key?

                    And that is my point. It isnt speculation. Its fact.

                    Comment


                    • #20
                      To clear things up

                      Originally posted by sofar View Post
                      I have not yet heard from something like that.

                      Intel is one of the companies working on UEFI, and therefore UEFI Secure Boot. As I said, ARM Secure Boot is something completely different as far as I know.



                      UEFI Secure Boot has nothing to do with Windows 8, which is what gets people confused.

                      I've called "UEFI Secure Boot" by a more descriptive name before: "UEFI Validated Boot". In effect, your system isn't secure at all, but at least parts of the boot sequence were *validated* during the boot process. Consequences are:

                      - something modifies kernel code during boot? you're pwned
                      - something runs in unprivileged mode? you're pwned
                      - something modifies your kernel file? you won't be able to boot
                      - something attempts to upload a trojan driver? you won't be able to boot or possibly load that driver

                      Second, NOTHING, absolutely NOTHING prevents a hardware vendor from shipping a system with UEFI Secure Boot enabled with e.g. Linux and NO Microsoft keys, and instead their own keys or someone elses keys. (hell, YOU can even do this).

                      (again, I'm not talking about ARM here)
                      OFC UEFI SecureBoot doesn't have anything directly to do with Win8, because Intel developed it in the first place. But now comes the magic: Guess which software company forces its hardware-partners to use their keys in order to keep their Windows 8-license? I hope you didn't struggle to find this out.

                      And to be realistic, surely everybody can be his own key-publisher, but his imposes two fundamental problems:
                      - No hardware vendor goes Linux only (and I am not talking about sporadic Linux-machines)
                      - How much sense does this make, when everyone is free to author those keys? The end-users doesn't care and if the system hadn't been broken already, it would still suffer from fundamental problems in regards to actually securing the system.

                      I might have been not clear enough, but I know of the non-security of SecureBoot. Most attacks don't even focus on modifying the bootloader, and even if you tried, it is very hard to actually achieve something with it. The days are over when you wrote viruses to just break someone's computer by messing up his MBR.
                      Today, when you write a virus, you want to set up a botnet. And setting up a botnet is easiest by sneaking into a system without changing too much (speaking of boot parameters) and staying in userspace.

                      Talking of userspace, this is where Microsoft lacks today: Windows didn't change fundamentally in regards to their security: I guess, instead of working on security more thoroughly they rather focus on cementing their monopoly in the interest of a feigned "security" to shut the users up.

                      Comment

                      Working...
                      X