OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot 391
An anonymous reader writes "OpenBSD founder Theo de Raadt has slammed Red Hat and Canonical for the way they have reacted to Microsoft's introduction of 'secure' boot along with Windows 8, describing both companies as wanting to be the new Microsoft."
A bit over the top (Score:5, Insightful)
We have been hearing various people who should know better that "Redhat is the next MIcrosoft" and variations on that theme now for at least a decade. Guess Ubuntu should take it as a sign that they have 'made it' that the same is now being said of them.
Not saying I agree with either of their solution to the Kobayashi Maru (otherwise known as Secure Boot) problem, but calling them 'traitors' is a bit much. Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.
Re:A bit over the top (Score:5, Insightful)
Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.
The better plan is to sue Microsoft for abuse of their monopoly.
Re:A bit over the top (Score:5, Insightful)
> The better plan is to sue Microsoft for abuse of their monopoly.
The old consent decree is long since expired. Good luck starting up a new round of lawsuits, Microsoft discovered lobbists after the last round so the DOJ isn't going to be bothering them again. So your plan is do nothing for years while a court case winds its way through the system and more then likely ends up going nowhere. Boy I'd love to take that plan to the stockholders meeting.
Re:A bit over the top (Score:5, Insightful)
Microsoft may have discovered lobbyists but their lobbyists didn't save them from EU rulings (Windows N with no media player, the "Browser Choice" screen etc). There is no reason to think the EU wouldn't be interested in investigating other abuses of monopoly power by Microsoft (including anything to do with secure boot)
Re: (Score:3)
well thats great for all of you in Europe and the UK, but for us over here in north America are still screwed up the @SS#013.
Re: (Score:3)
If Microsoft is defeated in EU courts, it could still help you a little back home, if nothing else by serving as an example.
Re:A bit over the top (Score:4, Informative)
Ok, you see, this exactly is a problem. This isn't a monopoly abuse in the classical sense it just is a move to establish the big enterprise at the cost of the smaller solutions. The thing is Microsoft paves the "way" to signed bootloaders in a way that is very unfriendly to homebrew since software can't (AFAIK) auto install it's certs into the pre boot process. This leaves two options: 1) manual installation of the certs by the end user which isn't very straight forward and could even become impossible 2) pre installation of all available certs by the manufaturer (now guess for how many reasons manufacturers aren't going to auto install keys for all available linux/hurd/bsd distros, yep there are many).
Which leaves independent guys that release some spin of some distro out of the game completely since they do not have the manpower to ring up all manufacturers and `demand` the inclusion of their signatures on the manuf's devices' uefi rom and makes it much more difficult for guys trying to do mobile device gnuxes hanging there not knowing how to actually respond.
So yeah. It hasn't anything to do with monopoly or any other 80s board game. It's just the fat bully pushing around the nerds.
Re: (Score:3)
auto install keys for all available linux/hurd/bsd distros
Couldn't everyone just leech off the "shim" boot loader that Redhat is going to have? Once you are in Grub I'd think you could boot whatever else you wanted (either that or I don't understand how they are implementing this). Is this somehow going to be made technically impossible by Redhat?
Of course this creates a much unwanted dependency on something which other distributions might not be able to include legally in their builds.
Re: They see me trollin' (Score:4, Funny)
2) pre installation of all available certs by the manufaturer (now guess for how many reasons manufacturers aren't going to auto install keys for all available linux/HURD/bsd distros, yep there are many).
It will be difficult to boot the Hurd on these machines? Think of the poor 4 people this will inconvenience...
Re:A bit over the top (Score:5, Insightful)
The better plan is to sue Microsoft for abuse of their monopoly.
You mean, so that they can be found guilty again and let go without so much as a hand-slap again? Yes, that would be a wonderfully immense waste of taxpayer dollars.
Re: (Score:2, Informative)
MS trial [wikipedia.org]
The DOJ announced on September 6, 2001 that it was no longer seeking to break up Microsoft and would instead seek a lesser antitrust penalty. Microsoft decided to draft a settlement proposal allowing PC manufacturers to adopt non-Microsoft software.
Who was president in Sept 2001 again?
Re:A bit over the top (Score:4)
Actually the announcement came from a federal court of appeals in late 2000. QUOTE: "The D.C. Circuit Court of Appeals overturned Judge Jackson's rulings against Microsoft. This was partly because the Appellate court had adopted a "drastically altered scope of liability" under which the Remedies could be taken......" In other words they decided not to breakup the company.
Late 2000..... before President Shrub arrived on the scene. But hey! Why let "facts" get in the way of good-ole FOX or NBC style distorted reporting?
Re:A bit over the top (Score:4, Interesting)
Who? [bbc.co.uk] What? [theregister.co.uk]
Re: (Score:2)
So they disagreed with his 'method' but not his findings.
To which Shrub decided to publicly not ask for much.
Re:A bit over the top (Score:5, Informative)
Of course, the DOJ decision was after this little tidbit:
The D.C. Circuit Court of Appeals overturned Judge Jackson's [original judge who issued the breakup order] rulings against Microsoft. This was partly because the Appellate court had adopted a "drastically altered scope of liability" under which the Remedies could be taken, and also partly due to the embargoed interviews Judge Jackson had given to the news media while he was still hearing the case, in violation of the Code of Conduct for US Judges.[17] Judge Jackson did not attend the D.C. Circuit Court of Appeals hearing, in which the appeals court judges accused him of unethical conduct and determined he should have recused himself from the case.
(bracketed bit inserted by me)
Re: (Score:2)
Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.
The better plan is to sue Microsoft for abuse of their monopoly.
Perfect, then we can wait a decade for the case to go anywhere, only to have it thrown out in the end and all computers made within the past decade remain unusable.
Re:A bit over the top (Score:4, Interesting)
Desktop and laptop PCs are still 88% dominated by the Microsoft OS. Requiring other OS makers to buy a license from Microsoft is very clear evidence of using their monopoly power to stifle competition. Opera won their lawsuit in the EU with lesser charges. (MS didn't block Opera... just made it difficult to compete against the free OS-embedded IE.) In this case MS is actively blocking Chrome, Ubuntu, Kolibri and other OSes.
I guess I just found another reason to buy a Win7 PC instead of the Win8 version with blockeboot.
Re: (Score:2)
I guess I just found another reason to buy a Win7 PC instead of the Win8 version with blockeboot.
On this at least, we fully agree :)
Any idea how Win7 will be treated by UEFI should we want to install it onto 'newer' hardware in the future?
Re: (Score:2)
>>>Any idea how Win7 will be treated by UEFI should we want to install it onto 'newer' hardware in the future?
Disable the SecureBoot and install Win7 normally. The only problem I worry is that Win7 might not have the necessary modem, printer, wifi, etc drivers for newer i9 or i11 computers?
Re:A bit over the top (Score:5, Insightful)
"Requiring other OS makers to buy a license from Microsoft is very clear evidence of using their monopoly power to stifle competition"
It certainly would be. The only problem is that they're not doing that at all.
The industry as a whole agreed to ratify the basic Secure Boot mechanism as part of the UEFI standard. Secure Boot as described in the UEFI standard does not say anything at all about who should sign code and issue keys and any of that stuff. All it does is say 'here is a mechanism called Secure Boot by which the system firmware can maintain a list of keys and refuse to run code which is not signed by one of those keys'.
So once that's in the UEFI standard, we have a world where there is this thing called Secure Boot which operating system developers and hardware vendors can *choose* to implement. Or not. The UEFI standard says nothing about whether it ought to be used, what keys ought to be included, or anything like that.
So Microsoft, as an operating system vendor, decides they want to use this Secure Boot thing. They're going to sign their operating system, and require vendors who want to pre-load that operating system on their systems to ship Microsoft's key. So that their operating system will run. This is what the Microsoft Windows 8 certification requirements for x86 state: you have to turn Secure Boot on by default and include our key.
What the certification requirements explicitly do _not_ state is this: 'you can't include any other keys'. They definitely don't say that. They just say 'you have to include Microsoft's key'. There's no restriction at all on shipping any number of other keys. Additionally, the certification requirements explicitly require that the user be able to enrol their own keys, and also disable Secure Boot if they so desire.
So...Microsoft's requirements for OEMs are that they enable Secure Boot by default (but allow it to be disabled) and ship Microsoft's key (but they can also happily ship any number of other keys, if they choose).
It's logically impossible to construe this as "Requiring other OS makers to buy a license from Microsoft". It doesn't do that, at all. Other OS makers can have their OS signed by themselves or anyone else they like, and ask hardware manufacturers to ship that key. Microsoft does nothing to prevent this. Or they can choose not to sign their OS at all, and ask users to disable Secure Boot. Microsoft does nothing to prevent this. Or they can _choose_ to have Microsoft sign their OS so it'll work without them needing to get any other key loaded into firmware; Microsoft didn't _have_ to provide public signing services, but they are doing so to avoid a PR shitstorm. If Microsoft really wanted to be evil, why would it provide public signing services at all? Wouldn't it be more effective just to say 'no, we won't do that'?
I find it highly unlikely that you could build a convincing case of monopoly abuse over Secure Boot for x86, when the actual facts of the matter are taken into account. They just don't support the accusation strongly enough. If Microsoft could be shown to be exerting pressure to prevent alternative signing groups from existing or getting their keys loaded onto hardware, then maybe...but AFAIK no-one has shown such.
(disclaimers: I am not a lawyer and this is not legal advice or a legal opinion. Furthermore, though I work for Red Hat, I am not directly involved in any RH evaluation of this issue, I am not involved in RH legal in any way, and this is entirely a personal opinion and not in any way representative of Red Hat. It is not Red Hat's official position on the issue of the legality or otherwise of Microsoft's actions. I specifically leave open the possibility that Red Hat as an entity might take a completely opposite view of the case.)
Re:A bit over the top (Score:5, Informative)
Now here's an essay for you to read..... written by the Free Software Foundation:
(snip)
In theory, there should be no problem. In practice, the situation is more complicated. As currently proposed, Secure Boot impedes free software adoption. It is already bad enough that nearly all computers sold come with Microsoft Windows pre-installed. In order to convince users to try free software, we must convince them to remove the operating system that came on their computers (or to divide their hard drives and make room for a new system, perceptually risking their data in the process).
With Secure Boot, new free software users must take an additional step to install free software operating systems. Because these operating systems do not have keys stored in every computer's firmware by default like Microsoft does, users will have to disable Secure Boot before booting the new system's installer. Proprietary software companies may present this requirement under the guise of "disable security on your computer," which will mislead new users into thinking free software is insecure.
Without a doubt, this is an obstacle we don't need right now, and it is highly questionable that the security gains realized from Secure Boot outweigh the difficulties it will cause in practice for users trying to actually provide for their own security by escaping Microsoft Windows.
It's also a problem because the Windows 8 Logo program currently mandates Restricted Boot on all ARM systems, which includes popular computer types like tablets and phones. It says that users must not be able to disable the boot restrictions or use their own signing keys. In addition to being unacceptable in its own right, this requirement was a reversal from Microsoft's initial public position, which claimed that the Windows 8 program would not block other operating systems from being installed. With this deception, Microsoft has demonstrated that they can't be trusted. While we are interpreting their current guidelines, we must keep in mind that they could change their mind again in the future and expand the ARM restrictions to more kinds of systems.
The best way out of all of this (other than having all computers come pre-installed with free software) would be for free software operating systems to also be installable by default on any computer, without needing to disable Secure Boot. In the last few weeks, we've seen two major GNU/Linux distributions, Fedora and Ubuntu, sketch out two different paths in an attempt to achieve this goal.
Fedora's approach
There is much to like about Fedora's thinking, as explained by Matthew Garrett......... Unfortunately, while it is compliant with the license of GRUB 2 and any other GPLv3-covered software, we see two serious problems with the Microsoft program approach.
1) Users wishing to run in a Secure Boot environment will have to trust Microsoft in order to boot official Fedora. The Secure Boot signing format currently allows only one signature on a binary -- so Fedora's shim bootloader can be signed only by the Microsoft-vouched key. If a user removes Microsoft's key, official Fedora will no longer boot, as long as Secure Boot is on.
2) We reject the recommendation that others join the Microsoft developer program. In addition to the $99 expense being a barrier for many people around the world, the process for joining this program is objectionable. A nonexhaustive list of the problems includes: restrictive terms in multiple of the half-dozen contracts that must be signed, a forced commitment "to receive targeted advertisements and periodic member email messages from Microsoft," and a requirement to provide notarized proof of government-issued identification and a credit card.
Ubuntu's approach
Their approach has the same issue as Fedora's official method. Users have to trust Microsoft in order to boot official Ubuntu CDs. Their certification program amplifies this problem, because it means no one can sell certified Ubuntu machines without trusting Microsoft.
Re: (Score:2)
And if you read that document the FSF advocates options b) and c) in my previous post. (installing their own keys, signing their own code). This is something users are free to do without having to trust in microsoft nor interact with microsoft, nor "beg" for licenses from microsoft.
In other words, the FSF, unlike you, recognizes that users can install other OSes without Microsoft.
Re: (Score:3)
Actually, there's no reason the OS shouldn't be able to turn Secure boot ON using ACPI. There is good reason the OS shouldn't be able to turn it OFF.
Re: (Score:2)
I find it highly unlikely that you could build a convincing case of monopoly abuse over Secure Boot for x86,
Oh yeah? It was not that hard to build a convincing case for monopoly abuse when it came to Netscape and IE. Remember the process required to remove IE from a system? I suspect that all it would take is to show a court what a user has to do to remove Microsoft's key from their Windows 8 system, and the case would be made right then and there.
Re: (Score:2)
This is a pathetic response. Companies with resources like Red Hat and Canonical should take the effort to register keys directly from BIOS and/or motherboard manufacturers. The time to get these arrangements is now, when UEFI is in its infancy, not later when Microsoft changes their policies and keys. Some computer manufacturers will choose to not enter agreements, others won't allow you to disable Secure Boot. The right approach is for people who care to support manufacturers that aren't imbeciles. The pr
Re: (Score:2)
It wasn't the gas tanks that were bad on the Pintos, it was bolts behind the tank that were too long. Ford recalled and fixed them. I know, I had a '74 Pinto that was recalled back in the day, with mag wheels!
What Ford didn't/couldn't fix was the horrid way the car shook between 64 and 72MPH. They didn't have to fix that because the national speed limit was 55MPH.
Re:A bit over the top (Score:5, Informative)
), but it doesn't change the fact Canonical and Redhat were forced to buy a license *from Microsoft* or else their OSes would not run.
That is not true.
Their OSes will run just fine provided any of the following are done:
a) the user logs into UEFI and disables secure boot
b) the user logs into UEFI and installs a distro key
c) the user logs into UEFI and installs their own key and signs the distro themselves.
d) the distro provider works with the manufacturer to have their key pre-loaded the same as microsofts.
Microsoft (currently) does prevent or even hinder any one of those alternatives on x86.
Canonical and Red Hat noted that a & b require at least a nomimal effort by the end user. (c requires a fair bit of effort for the end user) And that d required a substantial effort on their part.
So they chose "e) sign our distros with the MS key" that Microsoft already took the effort to have preloaded so that our users don't need to take the nominal step of disabling secure boot or of installing their own keys.
"That is called restraint-of-trade and it is VERY clearly a violation of the Sherman Antitrust "...
No its not.
"now they are actively blocking other OSes from Opera/Google/other OSes from running (unless they beg MS for a license)"
You don't need a license from microsoft. The end user can disable secure boot. The end user can install their own keys. The distro can approach the hardware manufacturer and have their own keys preloaded along side microsofts.
Microsoft isn't preventing anyone from doing anything, and you do not need to interact with microsoft at all to install other OSes.
Please COMPREHEND the above before replying or commenting on the subject further.
Re: (Score:2)
You said this:
Microsoft (currently) does prevent or even hinder any one of those alternatives on x86
Then you turned around and said this:
Microsoft isn't preventing anyone from doing anything, and you do not need to interact with microsoft at all to install other OSes.
Please elucidate what are you trying to get at
Thanks !
Re: (Score:2)
Clearly, my bad. I'd hope the sentiment was clear from the over all post, but for the sake of correcting it, the "does" in the first quoted sentence should be "does not" or "doesn't".
Re: (Score:2)
Microsoft (currently) does prevent or even hinder any one of those alternatives on x86.
I see what you did there...
(For the record, I own an ARM desktop)
Re: (Score:3)
You don't need a license from microsoft. The end user can disable secure boot. The end user can install their own keys.
Until that day when the user can't. Even Canonical admitted that this is not just a possibility in the future, but quite likely.
Re: (Score:2)
the fact Canonical and Redhat were forced to buy a license *from Microsoft* or else their OSes would not run
So the fact that they chose to pay Microsoft $80 rather than establish vendor relationships with every motherboard and BIOS manufacturer (as Microsoft did) creates a situation of force?
"Oh that's okay... it's a free market. I love the megacorps". You Corporate loving sellout.
ah, this was just an excuse to lash out at somebody, wasn't it?
Re:A bit over the top (Score:5, Informative)
"That's a nice 3-page essay (double-space I presume), but it doesn't change the fact Canonical and Redhat were forced to buy a license *from Microsoft* or else their OSes would not run."
That's still not a fact. We were not forced to buy a license. We had several options, which Matthew outlined way back at the start of this whole saga, in this blog post:
http://mjg59.dreamwidth.org/12368.html [dreamwidth.org]
Specifically, the paragraph headlined "Getting the machine booted". It mentions the other options, including "the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it" and "producing some sort of overall Linux key". There is also the obvious negative possibility of simply not signing anything at all; this would require users to disable Secure Boot in the firmware before installing Linux, but it doesn't prevent them from doing so.
Both Fedora (note, Fedora, not RH; RH does not necessarily always follow what Fedora does) and Ubuntu had several choices and _chose_ to go with the Microsoft signing service as the 'least bad' option (well, Ubuntu will also be self-signing, for OEM preloads). The fact that we are _choosing_ to get our releases signed with the Microsoft/Verisign key does not imply that we were _forced_ to do so. We _choose_ to do so on the basis that it'll provide the maximum possible success rate of Fedora installs with the minimum amount of work. We could have chosen to self-sign, or not to sign at all, and ask users to disable Secure Boot or import our key. We decided not to do so.
"Problem si that peope like YOU seem to think corproatuions never od anything wrong"
This is an absurd stretch. You appear to be implying that anyone who suggests that a corporation might ever do anything at all that is _not_ wrong, must therefore believe that a corporation can _never_ do anything wrong. This is clearly ridiculous and false. You also mistake my opinion that Microsoft's actions are _not illegal_ for an opinion that they're _right_. These are not the same thing at all. I have carefully refrained from stating in public any personal opinion on the Rightness or Wrongness, from an ethical/moral standpoint, of Microsoft's actions. This is intentional. What I have said several times is that I don't believe the actions can successfully be characterized as _illegal_. Not everything that's wrong is also illegal. But if something is wrong/bad but not illegal, then you can't defeat that something through the courts. This sub-thread was prompted by someone saying that RH and Canonical should have chosen to prosecute or sue Microsoft. My point is that this is hardly a viable option if the suit would fail.
Re: (Score:3)
That is called restraint-of-trade
No it isn't. To commit restraint of trade you actually have to restrict trade. No judge is going to see a $99 processing fee as restricting trade.
Re:A bit over the top (Score:5, Interesting)
It increases the cost of business for Canonical/RedHat to negotiate with all the OEM manufacturers and get them to include their key.
If you're Microsoft and already have deals with all OEM manufacturers, the cost may be negligible, but if you're Canonical/RedHat and your OS comes pre-installed on less than 1% of desktops, it may not be practically possible.
This is true for anyone who wants to enter the market for desktop operating systems and potentially compete with Microsoft. In economical terms, the SecureBoot system raises the barrier of entry for the desktop OS market.
Because of Microsoft's history of anti-competitive behaviour, I'm also worried about what they'll do next. Once they have control over the SecureBoot system, they could work to make it mandatory, citing piracy as reason. They could also pressure the OEM manufacturers, inofficially, to say "no" when a competitor asks them to include their OS keys. They could make it slow and costly for competitors to get new OS versions signed. Smaller Linux versions, without the backing of a corporation, won't be able to afford signing or getting OEM manufacturers to include their keys.
I don't know what'll happen, but having control over SecureBoot seems like too much power to place in the hands of any company.
Then there's the risk that the state will abuse the system once it's in place. SecureBoot controls what OS can be run, and the OS can control what software can be run, using a system of checksums and signing keys. In fact, the technology for that is already in place in Windows Vista onwards, but for the moment, you only get a warning when you try to run an unknown executable. If the state decides to outlaw certain software (such as encryption, hacking tools or P2P file sharing programs), SecureBoot combined with Windows enables them to enforce that law. If that ever happens, it'd be very good for Microsoft, since it severely reduces competition in the OS market, and gives even more power to the company who handles the signing of their competitors' OS:es.
Re:A bit over the top (Score:4, Interesting)
What about ARM?
What about it?
Microsoft doesn't have a monopoly in ARM devices (tablets and smartphones). Their competitors in Apple and even many Androids have restricted boot to their signed binaries.
We all agree that its not the situation we want, and we all agree we should demand the right to the keys to our devices (which we currently have on x86).
But it is absurd to suggest Microsoft is abusing its monopoly position in the ARM device market.
Re: (Score:2)
And that supposes you could claim ARM as a separate market from x86. MS could probably pretty easily argue that there is a tablet market, and that they have offerings in that market where you have to use restricted boot, and some where you don't. At that point you'd have to show they are intentionally making it hard to get the ARM only version, which if they have any brains (and they might not) they won't.
Re: (Score:2, Troll)
But it's a simple point of fact to state that it is using a monopoly position in one area of a market to abuse another.
How on earth do you see the two linked?
To "abuse a monopoly position" would require that one need a monopoly in order to do something else. Ie... only Microsoft could abuse its desktop monopoly to force internet explorer onto every desktop. Opera can't put its browser on every desktop no matter how badly it wants to because it doesn't have that desktop monopoly.
So how does having a desktop
Re:A bit over the top (Score:4, Insightful)
So how does having a desktop monopoly facilitate Microsoft's move on ARM?
I'm not so familiar with the facts of the case, so I'm only speaking hypothetically, but Microsoft could use their monopoly on desktop OS:es as leverage when they negotiate with OEM manufacturers, and get them to lock down ARM devices.
Re: (Score:3)
so I'm only speaking hypothetically, but Microsoft could use their monopoly on desktop OS:es as leverage when they negotiate with OEM manufacturers, and get them to lock down ARM devices.
Apple, Samsung, HTC, Motorola, all have locked down bootloaders on devices... clearly you don't need a desktop monopoly for leverage here.
Re: (Score:3)
And in order to gain a monopoly on that new platform, they lock it down there.
How does locking it down gain them a monopoly in a new market?
If people want an android arm device they buy one...
If they want an apple arm device they buy one...
The fact that you can't install ios or android on your arm tablet that came preloaded with windows 8 is hardly going to gain them a monopoly.
None of these companies have a desktop monopoly, hence it doesn't matter what they do.
Microsoft isn't leveraging its monopoly at al
Re: (Score:3)
Yeah, that's why I limited my post specifically to x86. The ARM requirements are much stricter: Secure Boot must be enabled and must not be disable-able, and the user must not be able to enrol their own keys. I don't believe the requirements reject the possibility of other keys being preloaded, but in practice I doubt we'll see that.
As other responders have pointed out, though, there's a different problem with alleging monopoly abuse when it comes to Windows RT / ARM, which is that Microsoft doesn't have an
Re: (Score:3, Informative)
Re: (Score:2)
Yes. Either the UEFI spec or the Microsoft requirements (I forget which) state that if the user removes all keys, the machine should go to 'secure boot disabled' state. So if the specs are actually followed, you should be able to remove the Microsoft key from any hardware you buy and that will automatically kick the system into 'secure boot disabled' state. Or you could just disable it directly.
Re:A bit over the top (Score:5, Insightful)
> but calling them 'traitors' is a bit much.
Not really. They valued convenience over freedom. That is the antithesis of GPL / BSD. Once you start compromising your values for freedom it becomes easier to justify the convenience.
To paraphrase Ben Franklin: "Those Who Sacrifice Liberty For Security Deserve Neither"
At some point this short-sightedness will come back to haunt them.
Re: (Score:2, Informative)
I think in this case, the additional words are important:
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."
I give up liberties all the time, for various reasons.
Re: (Score:3)
Nope. They valued their customers over fighting some stupid pissing contest.
What exactly are their chioces?
1) Do nothing
2) Whine about how unfair it is
3) Label their product with: Not compatible with any PC with a Windows logo on it
4) Create their own signing infrastructure, sign their binaries, work with all motherboard and system provides to get their key installed
5) Sign their binaries using an already-trusted key
6) Tell their users to disable Secure Boot
7) Tell their users to create and install their
Open source != free software (Score:2)
Re: (Score:3)
Do you want to tell that to all the people that died for WW1 or WW2 ?
It is unfortunate that people have to die, but sometimes that is the only way to get others to listen -- that certain concepts, such as freedom are MORE important then one man's life.
Re: (Score:2)
Guess Ubuntu should take it as a sign that they have 'made it' that the same is now being said of them.
Maybe we should hold off on that until they turn a profit....
Expected (Score:4, Informative)
I love OpenBSD, and run it on my firewall at home, but anyone who's followed De Raadt over the years has to be 100% expecting this.
Including the over-the-top language.
Re: (Score:3, Insightful)
Re: (Score:3)
Re: (Score:2, Interesting)
I've posted exactly one thing on the OpenBSD mailing list (I forget what... something technical and innocuous anyway) and I've been flamed by Theo De Raadt. I think you could make money selling T-shirts that said, "I've been flamed by The De Raadt". I've got a lot of respect for what he's accomplished, but flaming seems to be his customary mode of interaction.
I've also, on occasion, had the opportunity to interact with RMS via email. He has always been extremely generous with his time, gracious and polit
Re: (Score:2)
After writing emacs, what else was there for him to need to write?
how about a kernel?
to harsh?
1 thing I admire about him (Score:4, Insightful)
He has courage. You have to admire him for being so forthright, right or wrong. It takes balls to act as he does in today's "politically correct society" (what a bunch of hooey) - which in my opinion, is just being as honest as he can despite profanities and what-not.
I state that, because there's truly only 1 thing I personally respect in debates: When people are shown incorrect with facts versus their points. Undeniable reputably backed hard facts that are on the subject at hand, only.
Otherwise, things like ad hominem attacks are nothing but rubbish crap, period.
Thus, when Mr. DeRaadt's undeniably shown to be full of utter crap on statements he's made (we all make mistakes mind you) and moreso, consistently? Then his detractors have actually made a solid point.
When Mr. DeRaadt hasn't been utterly disproven beyond a doubt on his ideas, despite his "let it all hang out" attitude (which to a degree I respect a great deal for the reasons stated above but admittedly, other times not), he has made HIS point, disproving his detractors.
It's as simple as that.
In other words, what I have noted is that when the media or other groups attack a person on illogical grounds, ala ad hominem attacks? They fear them (and often for quite selfish and often nefarious reasons that aren't for the good of others, only themselves. Just an observation from over 1/2 a century of my life now.)
Re: (Score:2, Interesting)
People like to throw 'ad hominem' around way too much, because it sounds all clever, I guess. It doesn't work all the time.
An 'ad hominem argument' is an error when you're formally debating a specific argument with another person, and you try to win by attacking the person. 'You say that this apple is green, but I say that you smell and your mother is French, therefore the apple is red and I win!' That's a true case of an 'ad hominem argument' which is flawed.
You can't just go around yelling 'ad hominem' ev
Re: (Score:2)
Not 'period', in precisely the case I explained above. If the whole point of what they're saying is 'X is an asshole and therefore I refuse to associate with X', complaining that it's an ad hominem argument is utterly missing the point. The point being that not everything is, in fact, formal logic. It doesn't make sense to apply the rules and standards of formal logic to every statement any person makes. OP was not attempting to demonstrate a fact via formal logic, he was expressing his personal opinion tha
Re: (Score:3, Informative)
http://www.trollaxor.com/2010/06/why-i-left-openbsd.html
Copy and paste from this retard.
Re: (Score:2)
but the more I got involved in developing for OpenBSD the more I was dissuaded from doing so. Part of the issue was this focus on security.
Wait, the thing that bothered you about OpenBSD development is that it was focused on security? Friend, I'm gonna say you should have done a little more research before deciding to join that project.
Re: (Score:2)
Nobody can tell me that people like yourself, that act the meek worm online with innuendo and implications with no backing is now playing psychiatric pro (which you clearly are not) is not the worst offender of all via implication and innuendo possible
Theo i see you are your cordial self as always
From the article: (Score:4, Insightful)
Responding to a query from iTWire about what OpenBSD, widely recognised as the most security-conscious UNIX, would be doing to cope with "secure" boot, De Raadt said: "We have no plans. I don't know what we'll do. We'll watch the disaster and hope that someone with enough power sees sense."
Is not wanting to "be the new Microsoft" worth being unprepared for a "disaster?"
Re: (Score:2)
That's my take on things. Secure boot, at this moment is 'do a deal with the devil or give up on being on those systems'.
I have no idea how Microsoft ended up being in the position to dictate this state of affairs, and hardware manufacturers should be ashamed of themselves. The law should be that you have the keys to your own hardware.
Maybe someone will sue over it and reverse it that way.
But I don't think of RedHat or Canonical as doing something evil over this, just trying to survive.
Re: (Score:2)
red hat may have lots of money but microsoft has a shit ton more and the all of the people in power in their pocket. canonical has been running in the red for years and is pretty much run off of shuttelworths bank account and donations of time and money not going to be in a challenger to MS in court any time soon.
Re: (Score:2)
As for leaving me "vulnerable to a root kit", I will deal with that my own way, not Microsoft's way, thanks very much. Microsoft's way would be like leaving your house security in the hands of crooks.
Re: (Score:2)
"He is not "begging user to turn off secure boot", because, and this is the point, we will not be able to, the way things are going. "
What's 'the way things are going'? What support do you have for this assertion? Microsoft's Windows 8 compliance requirements specifically state that the user of a system must be able to disable Secure Boot. Microsoft are actually _requiring_ OEMs make it possible to disable Secure Boot.
Re:From the article: (Score:4, Insightful)
for now they require it on X86 and X64 systems but it is locked on arm. but what about windows 9? will it be removed because like the start menu because "so few people were using it".
Re: (Score:2)
Great FUD bro. Tell it again.
Re: (Score:3)
not really all that far fetched Microsoft would love to be the only os on pc's. they have actively smeared Linux and spread fud, they brought xp back form the dead to keep Linux off of mass marketed net-books, and tried to kill it by proxy with sco, they have accused it of being a cancer and communist, they have likened Linux users to pirates and malicious hackers. they have also baselessly accused Linux of patent infringement. Why would they not try to lock down PC's? and they tried to do the same thing be
Re: (Score:3)
IIRC - Theo (Score:4, Interesting)
Isn't Mr. De Raadt known for being a bit... shall we say, "pointed" on these sorts of things?
Re: (Score:2)
That's a nice way to put it.
So what's the plan, Theo? (Score:4, Interesting)
Ok, Theo, let's hear your solution then. I, for one, would really love the ability to secure boot a Linux system, knowing that every component is still exactly as it was when I last checked it and nobody has sneakily installed malware that secretly emails spam to all my friends and my financial details to carding sites. Trusted hardware root and signed executables are good things. So tell us then how we are supposed to get them? You obviously do not believe that we should be using Microsoft's key to sign the bootloader. What should we use? Keep in mind that while you have no difficulty installing your own keys in the BIOS, to a typical user (you know, those poor shmucks who get infected most often) that's deep voodoo. Also keep in mind that while Microsoft has the pull to get its key loaded by default into all the TPM chips manufactured, Ubuntu does not. Neither does BSD.
Re: (Score:3, Insightful)
The BIOS key comes printed in the manual. As a user, if you install the OS, you have to type that number in. Users who cannot enter numbers from a manual when prompted don't generally install OSes.
Re: (Score:3)
A manual could get lost. What's about printing the key on M/B itself, like they do it with MAC ID? It better be some kind of bar code (RSA-4096 wold be tough to type in). Or (and?) BIOS/EFI could have a dedicated page where it shows the whole key in a hand-help scanner friendly format. But in this case the snapshot could leak to the internets.
Volume manufacturing? (Score:2)
I wouldn't be surprised if the mass production of pre-installed systems will be helped with some sort of system that installs "enterprise/OEM" keys into the OS or the BIOS so fully automated installs can take place.
Now where have we seen this done before and what happened because of it?. I doubt this whole "secure boot" thing will last very long before software pirates will have found a way around it again. Once that happens, so will the malware authors and the wohle exercise will be useless again, just li
Re: (Score:2)
Virtualization works very well against it.
Re: (Score:2)
The BIOS key comes printed in the manual.
Not if the manual is as crappy as some that I have seen. And when you buy a PC from the high street, there is no guarantee that you will be forwarded the motherboard manual.
Re: (Score:2)
If the key required to install ANY operating system is in the manual, you'll be given the manual. Or print it on the motherboard itself as someone else suggested.
External intermediate nonce & public key & (Score:5, Informative)
You ship the TPM with a per-TPM public key in it, and a USB dongle with a certificate on it signed with the per-TPM secret key for the per-TPM public key, and then you require the presence of the dongle to intermediate the installation of the OS of your choice onto the machine. You allow installation of other public keys signed with the private key, and you have another public key and separate private key to permit per-device self-signing of whatever code you want, but only on a per-device basis.
Then you have your BIOS/EFI/UEFI/Coreboot/u-boot refuse to do anything other than go into "install mode" if the dongle is inserted so that the dongle will be removed after installation for normal operation so that it can't be abused by malware.
After that, all vendors are responsible for securing their own OS past the point of it being loaded into memory.
Re: (Score:3, Insightful)
Even better, just have a fucking pushbutton on the side of the box.
You want to install your own bootloader? Great, it will try to write its key - and you hit the little button to commit that. A virus sneaks onto your machine? Good luck reaching out of the CPU to toggle a physical contact.
Re: (Score:3, Interesting)
Re: (Score:2)
Has this ever been an issue with you on Linux? If secure boot does not allow you to run Python, a lot of scripts won't run. If it does allow you to run Python, a malicious Python script might still get you.
Since when does any Linux have auto run for anything enabled by default, and any you download you would have to set the executable bit on anyway. not an issue.
This stinks! (Score:3, Interesting)
Re: (Score:3)
Like RMS, Theo De Raadt is right when everyone (Score:5, Interesting)
else is wrong.
Sadly, MS has the power to take control of our computers away from us --and with secureboot they're doing exactly that. This is a direct attack on personal computing and the freedoms of the end-user to control the software on their computer.
RMS and Theo De Raadt are both right on this --but neither one of them has the influence needed to avert this attack, so it doesn't matter.
The era of personal, general-purpose computing is over.
Re: (Score:2)
"Sadly, MS has the power to take control of our computers away from us --and with secureboot they're doing exactly that."
By...specifically requiring that you have the ability to turn Secure Boot off, and enrol your own keys?
The Microsoft Windows 8 certification requirements specifically require both these things. The UEFI spec does not. A manufacturer who complies only with the UEFI spec has *more* freedom to restrict your ability to control the hardware than a manufacturer who also complies with the Window
Re: (Score:3)
"There will be a mechanism to turn off this method of booting on x86 hardware."
What's OpenBSD supposed to do on ARM, where Microsoft has mandated that Secure Boot can't be disabled? From the Microsoft "Windows Hardware Certification Requirements" [microsoft.com], page 116:
Microsoft Certification and BIOS (Score:2)
Re: (Score:2)
From what I understand, Windows 8 will run on most contemporary hardware. I installed it on a 3.8GHz P4 system and it ran fine. But it looks like if you want Microsoft Certification, then you need a BIOS that contains the UEFI code. But what if a manufacturer doesn't care about Microsoft Certification and elects to install Windows 8 on a PC with a UEFI BIOS? Then Linux or other operating systems should have no problems dual booting with Windows 8. I conclude that market conditions may cause some PC OEM's to eschew this BIOS extension altogether. Especially if it annoys their potential customer base.
Darn, I meant "But what if a manufacturer doesn't care about Microsoft Certification and elects to install Windows 8 on a PC without a UEFI BIOS? " Then they will be able to dual boot Windows 8 without Microsoft issuing a UEFI license.
Re: (Score:2)
Please stop confusing UEFI and Secure Boot. It makes it impossible to communicate with you.
Re: (Score:2)
You might want to learn what the hell UEFI is before sounding ridiculous.
UEFI is not a 'BIOS extension'. BIOS and UEFI are completely different standards for firmware for PCs. UEFI is intended to _replace_ BIOS.
UEFI is also not the same thing as Secure Boot. Secure Boot is one feature of recent versions of the UEFI specification.
"From what I understand, Windows 8 will run on most contemporary hardware. I installed it on a 3.8GHz P4 system and it ran fine."
Windows 8 does not require Secure Boot to be enabled
Losing Influence (Score:4, Informative)
Personally, I never liked Windows, but with Metro even on Server, I'll be seriously pushing Linux at work.
Re: (Score:2)
Window 8 is about turning windows into an embedded platform like an iphone. Both securing the systems and letting them like a cut of all software through their software store. You'll be installing windows 8 with a smile on your grandmothers and parents computers. Of course you wouldn't be caught dead using it. All enthusiasts have all long jumped ship on windows except for gaming.
With windows 8 and Microsoft taking a cut I expect it to motivate a PC games dedicated Linux distribution and more development on
Theo ranting, film at 11 (Score:5, Interesting)
Theo, ranting, is why he got kicked off the NetBSD project. Theo, ranting, is why OpenBSD's drivers for Broadcom chipsets stink. (Look up how the original author tried to resolve the licensing problems of sticking his GPL drivers in an OpenBSD kernel and was ignored, then screamed at by Theo for making the issue public.) Theo, ranting, is why OpenBSD doesn't properly handle booting from software RAID. Theo, ranting, is why the OpenBSD installer works like the UNIX crap I learned to loath back in 1985 and can't store the state of what you've already selected or go back, you just have to start over from scratch. Theo, ranting, is why OpenSSH has no built-in support for chroot cages. Theo, ranting, is why OpenBSD has no virtualization server capability. Theo, ranting, is why OpenSSH still stores both host keys and by default, user private keys in clear text with no expiration, and has no plans to fix this. Theo, ranting, is why the "compatiblity chart" is a list of chipsets that don't match the actual chipsets published by the manufacturer, and usually are from chipsets at least 4 years old.
Theo, ranting, usually means you're doing something right for your actual client base rather than for his ivory tower. There's a reason OpenBSD is used only by fanboys who run it on "hobby" systems and don't get any work done. And yes, I've dealt with the crap for years: I *wrote* the first SunOS ports of SSH-1, SSH-2, and OpenSSH. (Theo's fan club did not write SSH: they ported Tatu's previously GPL work into OpenSSH, and screwed up the license. Surprisingly little of the actual codebase is due to OpenBSD hosted development.)
I don't get it (Score:3)
whats to stop manufacturers from not including secure boot in their hardware. No way there isn't a big market for some Chinese manufacturer to jump onto this and have the Linux world use their hardware.
Re: (Score:2)
whats to stop manufacturers from not including secure boot in their hardware. No way there isn't a big market for some Chinese manufacturer to jump onto this and have the Linux world use their hardware.
What's to stop manufacturers from not including secure boot in their hardware? Threats of litigation by Microsoft.
More motivation to hack/root all bios from now on (Score:2)
I'm more surprised that bios replacement isn't already more prominent. It's not all that complicated to reverse engineer hardware initialization, it's just that it isn't necessary. Hardware will always be rootable. And software will always be able to implement emulation and man in the middle on such hardware. It will just require more active participation from the hardware owner, no virus or software installation will be able root the system without you actively participating.
Re: (Score:2)
Re: (Score:2)
Given that Apple is actively adding Secure Boot Chain [crn.com] to their own devices, I wouldn't place a bet on them as the safe hardware platform here. Normally I buy used Lenovo laptops to put Linux on them. If Microsoft's Secure Boot starts to be more of an issue, I'd probabaly switch to a Linux hardware rebranding company like Emperor Linux [emperorlinux.com] to make sure I didn't end up with a problem system.