OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot 391
An anonymous reader writes "OpenBSD founder Theo de Raadt has slammed Red Hat and Canonical for the way they have reacted to Microsoft's introduction of 'secure' boot along with Windows 8, describing both companies as wanting to be the new Microsoft."
A bit over the top (Score:5, Insightful)
We have been hearing various people who should know better that "Redhat is the next MIcrosoft" and variations on that theme now for at least a decade. Guess Ubuntu should take it as a sign that they have 'made it' that the same is now being said of them.
Not saying I agree with either of their solution to the Kobayashi Maru (otherwise known as Secure Boot) problem, but calling them 'traitors' is a bit much. Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.
From the article: (Score:4, Insightful)
Responding to a query from iTWire about what OpenBSD, widely recognised as the most security-conscious UNIX, would be doing to cope with "secure" boot, De Raadt said: "We have no plans. I don't know what we'll do. We'll watch the disaster and hope that someone with enough power sees sense."
Is not wanting to "be the new Microsoft" worth being unprepared for a "disaster?"
Re:A bit over the top (Score:5, Insightful)
Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.
The better plan is to sue Microsoft for abuse of their monopoly.
Re:A bit over the top (Score:5, Insightful)
> but calling them 'traitors' is a bit much.
Not really. They valued convenience over freedom. That is the antithesis of GPL / BSD. Once you start compromising your values for freedom it becomes easier to justify the convenience.
To paraphrase Ben Franklin: "Those Who Sacrifice Liberty For Security Deserve Neither"
At some point this short-sightedness will come back to haunt them.
Re:Expected (Score:3, Insightful)
Re:A bit over the top (Score:5, Insightful)
> The better plan is to sue Microsoft for abuse of their monopoly.
The old consent decree is long since expired. Good luck starting up a new round of lawsuits, Microsoft discovered lobbists after the last round so the DOJ isn't going to be bothering them again. So your plan is do nothing for years while a court case winds its way through the system and more then likely ends up going nowhere. Boy I'd love to take that plan to the stockholders meeting.
Re:A bit over the top (Score:5, Insightful)
The better plan is to sue Microsoft for abuse of their monopoly.
You mean, so that they can be found guilty again and let go without so much as a hand-slap again? Yes, that would be a wonderfully immense waste of taxpayer dollars.
Re:So what's the plan, Theo? (Score:3, Insightful)
The BIOS key comes printed in the manual. As a user, if you install the OS, you have to type that number in. Users who cannot enter numbers from a manual when prompted don't generally install OSes.
1 thing I admire about him (Score:4, Insightful)
He has courage. You have to admire him for being so forthright, right or wrong. It takes balls to act as he does in today's "politically correct society" (what a bunch of hooey) - which in my opinion, is just being as honest as he can despite profanities and what-not.
I state that, because there's truly only 1 thing I personally respect in debates: When people are shown incorrect with facts versus their points. Undeniable reputably backed hard facts that are on the subject at hand, only.
Otherwise, things like ad hominem attacks are nothing but rubbish crap, period.
Thus, when Mr. DeRaadt's undeniably shown to be full of utter crap on statements he's made (we all make mistakes mind you) and moreso, consistently? Then his detractors have actually made a solid point.
When Mr. DeRaadt hasn't been utterly disproven beyond a doubt on his ideas, despite his "let it all hang out" attitude (which to a degree I respect a great deal for the reasons stated above but admittedly, other times not), he has made HIS point, disproving his detractors.
It's as simple as that.
In other words, what I have noted is that when the media or other groups attack a person on illogical grounds, ala ad hominem attacks? They fear them (and often for quite selfish and often nefarious reasons that aren't for the good of others, only themselves. Just an observation from over 1/2 a century of my life now.)
Re:A bit over the top (Score:5, Insightful)
"Requiring other OS makers to buy a license from Microsoft is very clear evidence of using their monopoly power to stifle competition"
It certainly would be. The only problem is that they're not doing that at all.
The industry as a whole agreed to ratify the basic Secure Boot mechanism as part of the UEFI standard. Secure Boot as described in the UEFI standard does not say anything at all about who should sign code and issue keys and any of that stuff. All it does is say 'here is a mechanism called Secure Boot by which the system firmware can maintain a list of keys and refuse to run code which is not signed by one of those keys'.
So once that's in the UEFI standard, we have a world where there is this thing called Secure Boot which operating system developers and hardware vendors can *choose* to implement. Or not. The UEFI standard says nothing about whether it ought to be used, what keys ought to be included, or anything like that.
So Microsoft, as an operating system vendor, decides they want to use this Secure Boot thing. They're going to sign their operating system, and require vendors who want to pre-load that operating system on their systems to ship Microsoft's key. So that their operating system will run. This is what the Microsoft Windows 8 certification requirements for x86 state: you have to turn Secure Boot on by default and include our key.
What the certification requirements explicitly do _not_ state is this: 'you can't include any other keys'. They definitely don't say that. They just say 'you have to include Microsoft's key'. There's no restriction at all on shipping any number of other keys. Additionally, the certification requirements explicitly require that the user be able to enrol their own keys, and also disable Secure Boot if they so desire.
So...Microsoft's requirements for OEMs are that they enable Secure Boot by default (but allow it to be disabled) and ship Microsoft's key (but they can also happily ship any number of other keys, if they choose).
It's logically impossible to construe this as "Requiring other OS makers to buy a license from Microsoft". It doesn't do that, at all. Other OS makers can have their OS signed by themselves or anyone else they like, and ask hardware manufacturers to ship that key. Microsoft does nothing to prevent this. Or they can choose not to sign their OS at all, and ask users to disable Secure Boot. Microsoft does nothing to prevent this. Or they can _choose_ to have Microsoft sign their OS so it'll work without them needing to get any other key loaded into firmware; Microsoft didn't _have_ to provide public signing services, but they are doing so to avoid a PR shitstorm. If Microsoft really wanted to be evil, why would it provide public signing services at all? Wouldn't it be more effective just to say 'no, we won't do that'?
I find it highly unlikely that you could build a convincing case of monopoly abuse over Secure Boot for x86, when the actual facts of the matter are taken into account. They just don't support the accusation strongly enough. If Microsoft could be shown to be exerting pressure to prevent alternative signing groups from existing or getting their keys loaded onto hardware, then maybe...but AFAIK no-one has shown such.
(disclaimers: I am not a lawyer and this is not legal advice or a legal opinion. Furthermore, though I work for Red Hat, I am not directly involved in any RH evaluation of this issue, I am not involved in RH legal in any way, and this is entirely a personal opinion and not in any way representative of Red Hat. It is not Red Hat's official position on the issue of the legality or otherwise of Microsoft's actions. I specifically leave open the possibility that Red Hat as an entity might take a completely opposite view of the case.)
Re:A bit over the top (Score:5, Insightful)
Microsoft may have discovered lobbyists but their lobbyists didn't save them from EU rulings (Windows N with no media player, the "Browser Choice" screen etc). There is no reason to think the EU wouldn't be interested in investigating other abuses of monopoly power by Microsoft (including anything to do with secure boot)
Re:External intermediate nonce & public key &a (Score:3, Insightful)
Even better, just have a fucking pushbutton on the side of the box.
You want to install your own bootloader? Great, it will try to write its key - and you hit the little button to commit that. A virus sneaks onto your machine? Good luck reaching out of the CPU to toggle a physical contact.
Re:From the article: (Score:4, Insightful)
for now they require it on X86 and X64 systems but it is locked on arm. but what about windows 9? will it be removed because like the start menu because "so few people were using it".
Re:A bit over the top (Score:4, Insightful)
So how does having a desktop monopoly facilitate Microsoft's move on ARM?
I'm not so familiar with the facts of the case, so I'm only speaking hypothetically, but Microsoft could use their monopoly on desktop OS:es as leverage when they negotiate with OEM manufacturers, and get them to lock down ARM devices.