Forgot your password?
typodupeerror
Microsoft Red Hat Software Ubuntu News

OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot 391

Posted by timothy
from the so-you're-not-a-fan-then dept.
An anonymous reader writes "OpenBSD founder Theo de Raadt has slammed Red Hat and Canonical for the way they have reacted to Microsoft's introduction of 'secure' boot along with Windows 8, describing both companies as wanting to be the new Microsoft."
This discussion has been archived. No new comments can be posted.

OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot

Comments Filter:
  • A bit over the top (Score:5, Insightful)

    by jmorris42 (1458) * <jmorris@bea u . org> on Thursday July 26, 2012 @06:18PM (#40784437)

    We have been hearing various people who should know better that "Redhat is the next MIcrosoft" and variations on that theme now for at least a decade. Guess Ubuntu should take it as a sign that they have 'made it' that the same is now being said of them.

    Not saying I agree with either of their solution to the Kobayashi Maru (otherwise known as Secure Boot) problem, but calling them 'traitors' is a bit much. Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.

    • by Hatta (162192) on Thursday July 26, 2012 @06:23PM (#40784519) Journal

      Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.

      The better plan is to sue Microsoft for abuse of their monopoly.

      • by jmorris42 (1458) * <jmorris@bea u . org> on Thursday July 26, 2012 @06:30PM (#40784603)

        > The better plan is to sue Microsoft for abuse of their monopoly.

        The old consent decree is long since expired. Good luck starting up a new round of lawsuits, Microsoft discovered lobbists after the last round so the DOJ isn't going to be bothering them again. So your plan is do nothing for years while a court case winds its way through the system and more then likely ends up going nowhere. Boy I'd love to take that plan to the stockholders meeting.

        • by jonwil (467024) on Thursday July 26, 2012 @09:32PM (#40786199)

          Microsoft may have discovered lobbyists but their lobbyists didn't save them from EU rulings (Windows N with no media player, the "Browser Choice" screen etc). There is no reason to think the EU wouldn't be interested in investigating other abuses of monopoly power by Microsoft (including anything to do with secure boot)

          • well thats great for all of you in Europe and the UK, but for us over here in north America are still screwed up the @SS#013.

            • by metacell (523607)

              If Microsoft is defeated in EU courts, it could still help you a little back home, if nothing else by serving as an example.

      • by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday July 26, 2012 @06:38PM (#40784687) Homepage Journal

        The better plan is to sue Microsoft for abuse of their monopoly.

        You mean, so that they can be found guilty again and let go without so much as a hand-slap again? Yes, that would be a wonderfully immense waste of taxpayer dollars.

      • Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.

        The better plan is to sue Microsoft for abuse of their monopoly.

        Perfect, then we can wait a decade for the case to go anywhere, only to have it thrown out in the end and all computers made within the past decade remain unusable.

    • by UnknownSoldier (67820) on Thursday July 26, 2012 @06:25PM (#40784537)

      > but calling them 'traitors' is a bit much.

      Not really. They valued convenience over freedom. That is the antithesis of GPL / BSD. Once you start compromising your values for freedom it becomes easier to justify the convenience.

      To paraphrase Ben Franklin: "Those Who Sacrifice Liberty For Security Deserve Neither"

      At some point this short-sightedness will come back to haunt them.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        I think in this case, the additional words are important:

        "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."

        I give up liberties all the time, for various reasons.

      • by bws111 (1216812)

        Nope. They valued their customers over fighting some stupid pissing contest.

        What exactly are their chioces?

        1) Do nothing
        2) Whine about how unfair it is
        3) Label their product with: Not compatible with any PC with a Windows logo on it
        4) Create their own signing infrastructure, sign their binaries, work with all motherboard and system provides to get their key installed
        5) Sign their binaries using an already-trusted key
        6) Tell their users to disable Secure Boot
        7) Tell their users to create and install their

      • Remember when we used to make fun of the sort of people who would insist that we should say "free software" and not "open source?" I think by this point in time, we can finally acknowledge that they were right: open source is about software development, not respecting or protecting user freedom.
    • Guess Ubuntu should take it as a sign that they have 'made it' that the same is now being said of them.

      Maybe we should hold off on that until they turn a profit....

  • Expected (Score:4, Informative)

    by Daniel_Staal (609844) <DStaal@usa.net> on Thursday July 26, 2012 @06:20PM (#40784465)

    I love OpenBSD, and run it on my firewall at home, but anyone who's followed De Raadt over the years has to be 100% expecting this.

    Including the over-the-top language.

    • Re: (Score:3, Insightful)

      So he's pretty much your Richard Stallman?
      • by Anubis350 (772791)
        I'm pretty sure Richard Stallman is *everyone's* Richard Stallman, and one is enough :-p
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        I've posted exactly one thing on the OpenBSD mailing list (I forget what... something technical and innocuous anyway) and I've been flamed by Theo De Raadt. I think you could make money selling T-shirts that said, "I've been flamed by The De Raadt". I've got a lot of respect for what he's accomplished, but flaming seems to be his customary mode of interaction.

        I've also, on occasion, had the opportunity to interact with RMS via email. He has always been extremely generous with his time, gracious and polit

    • by Anonymous Coward on Thursday July 26, 2012 @07:24PM (#40785151)

      He has courage. You have to admire him for being so forthright, right or wrong. It takes balls to act as he does in today's "politically correct society" (what a bunch of hooey) - which in my opinion, is just being as honest as he can despite profanities and what-not.

      I state that, because there's truly only 1 thing I personally respect in debates: When people are shown incorrect with facts versus their points. Undeniable reputably backed hard facts that are on the subject at hand, only.

      Otherwise, things like ad hominem attacks are nothing but rubbish crap, period.

      Thus, when Mr. DeRaadt's undeniably shown to be full of utter crap on statements he's made (we all make mistakes mind you) and moreso, consistently? Then his detractors have actually made a solid point.

      When Mr. DeRaadt hasn't been utterly disproven beyond a doubt on his ideas, despite his "let it all hang out" attitude (which to a degree I respect a great deal for the reasons stated above but admittedly, other times not), he has made HIS point, disproving his detractors.

      It's as simple as that.

      In other words, what I have noted is that when the media or other groups attack a person on illogical grounds, ala ad hominem attacks? They fear them (and often for quite selfish and often nefarious reasons that aren't for the good of others, only themselves. Just an observation from over 1/2 a century of my life now.)

      • Re: (Score:2, Interesting)

        by AdamWill (604569)

        People like to throw 'ad hominem' around way too much, because it sounds all clever, I guess. It doesn't work all the time.

        An 'ad hominem argument' is an error when you're formally debating a specific argument with another person, and you try to win by attacking the person. 'You say that this apple is green, but I say that you smell and your mother is French, therefore the apple is red and I win!' That's a true case of an 'ad hominem argument' which is flawed.

        You can't just go around yelling 'ad hominem' ev

  • From the article: (Score:4, Insightful)

    by Fwipp (1473271) on Thursday July 26, 2012 @06:21PM (#40784469)

    Responding to a query from iTWire about what OpenBSD, widely recognised as the most security-conscious UNIX, would be doing to cope with "secure" boot, De Raadt said: "We have no plans. I don't know what we'll do. We'll watch the disaster and hope that someone with enough power sees sense."

    Is not wanting to "be the new Microsoft" worth being unprepared for a "disaster?"

    • That's my take on things. Secure boot, at this moment is 'do a deal with the devil or give up on being on those systems'.

      I have no idea how Microsoft ended up being in the position to dictate this state of affairs, and hardware manufacturers should be ashamed of themselves. The law should be that you have the keys to your own hardware.

      Maybe someone will sue over it and reverse it that way.

      But I don't think of RedHat or Canonical as doing something evil over this, just trying to survive.

  • IIRC - Theo (Score:4, Interesting)

    by Gunfighter (1944) on Thursday July 26, 2012 @06:23PM (#40784517) Homepage

    Isn't Mr. De Raadt known for being a bit... shall we say, "pointed" on these sorts of things?

  • by Chemisor (97276) on Thursday July 26, 2012 @06:29PM (#40784597)

    Ok, Theo, let's hear your solution then. I, for one, would really love the ability to secure boot a Linux system, knowing that every component is still exactly as it was when I last checked it and nobody has sneakily installed malware that secretly emails spam to all my friends and my financial details to carding sites. Trusted hardware root and signed executables are good things. So tell us then how we are supposed to get them? You obviously do not believe that we should be using Microsoft's key to sign the bootloader. What should we use? Keep in mind that while you have no difficulty installing your own keys in the BIOS, to a typical user (you know, those poor shmucks who get infected most often) that's deep voodoo. Also keep in mind that while Microsoft has the pull to get its key loaded by default into all the TPM chips manufactured, Ubuntu does not. Neither does BSD.

    • Re: (Score:3, Insightful)

      by ceoyoyo (59147)

      The BIOS key comes printed in the manual. As a user, if you install the OS, you have to type that number in. Users who cannot enter numbers from a manual when prompted don't generally install OSes.

      • by snikulin (889460)

        A manual could get lost. What's about printing the key on M/B itself, like they do it with MAC ID? It better be some kind of bar code (RSA-4096 wold be tough to type in). Or (and?) BIOS/EFI could have a dedicated page where it shows the whole key in a hand-help scanner friendly format. But in this case the snapshot could leak to the internets.

      • I wouldn't be surprised if the mass production of pre-installed systems will be helped with some sort of system that installs "enterprise/OEM" keys into the OS or the BIOS so fully automated installs can take place.

        Now where have we seen this done before and what happened because of it?. I doubt this whole "secure boot" thing will last very long before software pirates will have found a way around it again. Once that happens, so will the malware authors and the wohle exercise will be useless again, just li

      • by nukenerd (172703)

        The BIOS key comes printed in the manual.

        Not if the manual is as crappy as some that I have seen. And when you buy a PC from the high street, there is no guarantee that you will be forwarded the motherboard manual.

        • by ceoyoyo (59147)

          If the key required to install ANY operating system is in the manual, you'll be given the manual. Or print it on the motherboard itself as someone else suggested.

    • by tlambert (566799) on Thursday July 26, 2012 @07:22PM (#40785137)

      You ship the TPM with a per-TPM public key in it, and a USB dongle with a certificate on it signed with the per-TPM secret key for the per-TPM public key, and then you require the presence of the dongle to intermediate the installation of the OS of your choice onto the machine. You allow installation of other public keys signed with the private key, and you have another public key and separate private key to permit per-device self-signing of whatever code you want, but only on a per-device basis.

      Then you have your BIOS/EFI/UEFI/Coreboot/u-boot refuse to do anything other than go into "install mode" if the dongle is inserted so that the dongle will be removed after installation for normal operation so that it can't be abused by malware.

      After that, all vendors are responsible for securing their own OS past the point of it being loaded into memory.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Even better, just have a fucking pushbutton on the side of the box.

        You want to install your own bootloader? Great, it will try to write its key - and you hit the little button to commit that. A virus sneaks onto your machine? Good luck reaching out of the CPU to toggle a physical contact.

    • Re: (Score:3, Interesting)

      by cheesybagel (670288)
      How about doing it like SSH? The first time you install something with a new key it tells you "the key *blah* is unknown to the system. Do you want to proceed? yes/no". If you say "yes" it memorizes the key.
  • This stinks! (Score:3, Interesting)

    by deltaromeo (821761) on Thursday July 26, 2012 @06:34PM (#40784661)
    This whole Microsoft / Secure Boot situation is outrageous, it should never be allowed to be implemented, linux distro's should not be having to get anything signed by Microsoft. Hopefully some judge someday will see sense and kill it and also force Microsoft to carry positive mentions of other OS's in their advertisements in a similar fashion as the Apple / Samsung tablet ruling.
  • by RLiegh (247921) on Thursday July 26, 2012 @07:11PM (#40785021) Homepage Journal

    else is wrong.

    Sadly, MS has the power to take control of our computers away from us --and with secureboot they're doing exactly that. This is a direct attack on personal computing and the freedoms of the end-user to control the software on their computer.

    RMS and Theo De Raadt are both right on this --but neither one of them has the influence needed to avert this attack, so it doesn't matter.

    The era of personal, general-purpose computing is over.

    • by AdamWill (604569)

      "Sadly, MS has the power to take control of our computers away from us --and with secureboot they're doing exactly that."

      By...specifically requiring that you have the ability to turn Secure Boot off, and enrol your own keys?

      The Microsoft Windows 8 certification requirements specifically require both these things. The UEFI spec does not. A manufacturer who complies only with the UEFI spec has *more* freedom to restrict your ability to control the hardware than a manufacturer who also complies with the Window

  • From what I understand, Windows 8 will run on most contemporary hardware. I installed it on a 3.8GHz P4 system and it ran fine. But it looks like if you want Microsoft Certification, then you need a BIOS that contains the UEFI code. But what if a manufacturer doesn't care about Microsoft Certification and elects to install Windows 8 on a PC with a UEFI BIOS? Then Linux or other operating systems should have no problems dual booting with Windows 8. I conclude that market conditions may cause some PC OEM's to
    • From what I understand, Windows 8 will run on most contemporary hardware. I installed it on a 3.8GHz P4 system and it ran fine. But it looks like if you want Microsoft Certification, then you need a BIOS that contains the UEFI code. But what if a manufacturer doesn't care about Microsoft Certification and elects to install Windows 8 on a PC with a UEFI BIOS? Then Linux or other operating systems should have no problems dual booting with Windows 8. I conclude that market conditions may cause some PC OEM's to eschew this BIOS extension altogether. Especially if it annoys their potential customer base.

      Darn, I meant "But what if a manufacturer doesn't care about Microsoft Certification and elects to install Windows 8 on a PC without a UEFI BIOS? " Then they will be able to dual boot Windows 8 without Microsoft issuing a UEFI license.

      • by AdamWill (604569)

        Please stop confusing UEFI and Secure Boot. It makes it impossible to communicate with you.

    • by AdamWill (604569)

      You might want to learn what the hell UEFI is before sounding ridiculous.

      UEFI is not a 'BIOS extension'. BIOS and UEFI are completely different standards for firmware for PCs. UEFI is intended to _replace_ BIOS.

      UEFI is also not the same thing as Secure Boot. Secure Boot is one feature of recent versions of the UEFI specification.

      "From what I understand, Windows 8 will run on most contemporary hardware. I installed it on a 3.8GHz P4 system and it ran fine."

      Windows 8 does not require Secure Boot to be enabled

  • Losing Influence (Score:4, Informative)

    by wzinc (612701) on Thursday July 26, 2012 @07:52PM (#40785427)
    Microsoft is quickly losing influence; I don't think their secure boot stuff is going to be that big of a deal. I would say they have a chance with Windows Server, but 2012 has Metro, so I think they'll be declining on all sides now. They don't seem to care about what people actually want; they just want to push some new thing.

    Personally, I never liked Windows, but with Metro even on Server, I'll be seriously pushing Linux at work.
    • by BlueCoder (223005)

      Window 8 is about turning windows into an embedded platform like an iphone. Both securing the systems and letting them like a cut of all software through their software store. You'll be installing windows 8 with a smile on your grandmothers and parents computers. Of course you wouldn't be caught dead using it. All enthusiasts have all long jumped ship on windows except for gaming.

      With windows 8 and Microsoft taking a cut I expect it to motivate a PC games dedicated Linux distribution and more development on

  • by Anonymous Coward on Thursday July 26, 2012 @08:23PM (#40785709)

    Theo, ranting, is why he got kicked off the NetBSD project. Theo, ranting, is why OpenBSD's drivers for Broadcom chipsets stink. (Look up how the original author tried to resolve the licensing problems of sticking his GPL drivers in an OpenBSD kernel and was ignored, then screamed at by Theo for making the issue public.) Theo, ranting, is why OpenBSD doesn't properly handle booting from software RAID. Theo, ranting, is why the OpenBSD installer works like the UNIX crap I learned to loath back in 1985 and can't store the state of what you've already selected or go back, you just have to start over from scratch. Theo, ranting, is why OpenSSH has no built-in support for chroot cages. Theo, ranting, is why OpenBSD has no virtualization server capability. Theo, ranting, is why OpenSSH still stores both host keys and by default, user private keys in clear text with no expiration, and has no plans to fix this. Theo, ranting, is why the "compatiblity chart" is a list of chipsets that don't match the actual chipsets published by the manufacturer, and usually are from chipsets at least 4 years old.

    Theo, ranting, usually means you're doing something right for your actual client base rather than for his ivory tower. There's a reason OpenBSD is used only by fanboys who run it on "hobby" systems and don't get any work done. And yes, I've dealt with the crap for years: I *wrote* the first SunOS ports of SSH-1, SSH-2, and OpenSSH. (Theo's fan club did not write SSH: they ported Tatu's previously GPL work into OpenSSH, and screwed up the license. Surprisingly little of the actual codebase is due to OpenBSD hosted development.)

  • by future assassin (639396) on Thursday July 26, 2012 @08:29PM (#40785749) Homepage

    whats to stop manufacturers from not including secure boot in their hardware. No way there isn't a big market for some Chinese manufacturer to jump onto this and have the Linux world use their hardware.

    • whats to stop manufacturers from not including secure boot in their hardware. No way there isn't a big market for some Chinese manufacturer to jump onto this and have the Linux world use their hardware.

      What's to stop manufacturers from not including secure boot in their hardware? Threats of litigation by Microsoft.

  • I'm more surprised that bios replacement isn't already more prominent. It's not all that complicated to reverse engineer hardware initialization, it's just that it isn't necessary. Hardware will always be rootable. And software will always be able to implement emulation and man in the middle on such hardware. It will just require more active participation from the hardware owner, no virus or software installation will be able root the system without you actively participating.

Are you having fun yet?

Working...