No Windows 8 Plot To Lock Out Linux

First time accepted submitter Bucky24 writes "ZDNet's Ed Bott decided to contact major PC makers to find out the truth about Windows 8 SecureBoot. The responses are encouraging for those of us who run third party operating systems. Dell plans to have a BIOS switch to allow SecureBoot to be disabled, and HP assures us that they will allow consumers to make their own choice as to what operating system to run, though they have not given details as to how."

At first at least.

[Anonymous Coward]

1. Embrace.

Re:

[bryan1945]

We promise! Really!

Re:

[dingfelder]

until they patch it

Ed Bott

[bmo]

Ed Bott is nothing more than a Microsoft mouthpiece. Not going to RTFA and almost didn't RTFS because of his name. His hobbies are trolling and shilling for Microsoft.

The only difference between him and Robert Enderle is that Robert is a more honest whore.

--
BMO

Re:Ed Bott

[hedwards]

He's probably technically correct that it isn't a plot to lock out Linux. In practice though, I'd be surprised if it didn't end up like ACPI early on, where MS' implementation was the only one that many vendors bothered with, opting not to fix bugs that MS had a workaround for.

Re:Ed Bott

[hedwards]

When they do it by including undocumented workarounds for a known standard, yes it certainly is evil. And in the case of ACPI, it didn't just affect people that wanted to have pure code, it also affected all the other projects that depended upon the code being implemented to standards. It took years to sort that out and ultimately, just served to benefit MS.

Had MS actually implemented the standard that everybody else was using, the one that Intel provided a validator for, it wouldn't have been an issue.

Re:

[Penguinisto]

True, but how much profit and lock-in can you get from that?

Re:

[makomk]

Microsoft created the tools that generated the broken BIOS code in the first place, and they designed them in such a way that they always generated broken, non-standards-compliant code - in fact there are reasons to believe this may have been deliberate.

Re:

[syousef]

His hobbies are trolling and shilling for Microsoft.

It's not a hobby if you make your living that way.

Re:Ed Bott

[izomiac]

I read the article and regret it. The author called Dell and HP "spokespersons" and asked about their company's plans. One non-decision-making employee says Dell is currently planning to provide an option, and a similar HP employee has no idea what SecureBoot is, but can confirm that HP is not participating in a conspiracy (the stated question apparently).

So, after two phone calls and an e-mail, the author's fact-checking work is done, so the article moves on to mocking selected quotes by open source advocates. I'll try to remember Ed Bott's name, as he obviously has such high journalistic standards.

Re:

[bmo]

There is at least one person who thinks highly of Ed Bott, however.

The net effect of that big brainwashing effort is that some of the more credulous and less informed people now distrust a very smart analyst like Rob Enderle, very smart journalists like Maureen O'Gara and Dan Lyons, or a very smart author like Ed Bott, only because they comment on certain issues with greater sanity than Groklaw.

- Florian Mueller

*spit*

--
BMO

Re:Careful there...

[Rogerborg]

Uh... it's not ad hominem to point out that the listed "experts" have a track record of being wrong, wrong and wrong again, and have been repeatedly caught with their hands in Microsoft's pockets.

Groklaw (under Pamela Jones) has called things correctly far more often than not.

Full Disclosure: On a personal note, I detest that whiny martyr PJ and her horde of White Knight sycophants, but I do have admit that it's hard to find examples of her getting things wrong.

Re:

[Penguinisto]

Yep... you get used to glazing past anything with Ed Bott's tagline in it. He's notorious for being a better Microsoft mouthpiece than Microsoft's PR department.

I just have a hard time deciding if it's because he loves Microsoft that damned much, or if he's just doing it to generate eyeballs and clicks.

Re:Ed Bott

[sortius_nod]

anything on ZDNet is going to be a Microsoft shill piece.

Re:

[poetmatt]

no worries. the EFF has picked up on the article's FUD, among others. The funny thing is that moving forward with secureboot in ways that are undocumented/lock out linux would bring so many lawsuits to microsoft that even the lawyers will be falling over themselves to sue them. It would quite literally give novell so much ammunition it's not even funny.

Re:

[betterunixthanunix]

Quick fix from Microsoft:

"In response to criticism from the US government and the open source community, our secure boot loader will now allow users to run Linux! You will, of course, be running in a hyperviser to ensure that you do not attempt to access the Windows partition or overwrite the bootloader, which is necessary for your security!"

The purpose here is to ensure that the user cannot modify Windows, and the purpose of that is to ensure that DRM systems become effective (i.e. because if you ca

Re:

[Zancarius]

His hobbies are trolling and shilling for Microsoft.

I agree. I've long stopped reading anything of his simply because it's just regurgitated press releases from Redmond.

Re:

[The Askylist]

My only question is - how can booting into Windows version anything be called "secure boot"?

Surely the term "locked-in boot" is more accurate?

Re:

[bmo]

not sure what the /. issue with the guy is

If you've ever read more than one Ed Bott article, you'd know. People accuse the FOSS crowd of being stubborn. You have to be stubborn to refute the repeated lies that Ed and so-called journalists and "analysts" like him will spew. It gets old quick.

getting paid to do what you like in a field that you like doesn't make you a shill.

I agree. Mary Jo Foley isn't a shill. She still seems to have her dignity and integrity about her, more or less. She may be a fangir

Re:

[bmo]

Oh here we go.

>pretend to sound reasonable
>pretend to ignore all the other stuff that Ed Bott has said
>ask me to go dig up his articles

No, you can go read his articles over on ZDNet. They are indexed and you can judge for yourself.

--
BMO

Re:

[jcombel]

i've read a few (only ones that have been front-page story'd on slashdot) and they all seemed reasonable and factual so far. from what i understand the guy has written several entries per week for the last umpteen years, i think just directing me to his hundreds of entries is a bit unreasonable. if you don't want to go link diving, that's fine, i don't want to go digging either. do you remember any particular topics that he lied or misrepresented, so that i might try my google fu for a couple minutes?

Re:Ed Bott

[Zancarius]

Okay, I'll bite. Let's take this article [zdnet.com] as a fine example of his work:

Allow me to illustrate by turning the argument around in an equally cynical way, with an equally inflammatory rhetorical flourish:

People who make their living in the Linux ecosystem are demanding that Microsoft disable a key security feature planned for Windows 8 so that malware authors can continue to infect those PCs and drive their owners to alternate operating systems.

Oh, wait. Now that I think about it, thatâ(TM)s actually pretty close to the truth.

Bott takes a provocative approach by claiming to "turn the argument around" using "equally inflammatory rhetorical flourish"--then implicitly claims it's "close to the truth." In other words, he's essentially linking malware authors with people who are attempting to drive users toward alternative OSes like Linux. Is it a joke? Maybe, but his last statement leaves one wondering if he really does believe it.

He claims that UEFI will magically prevent rootkits from working simply because the BIOS will then be able to detect mangled files. I'm not sure Bott fully understands the purpose of a rootkit, but if one were well designed, UEFI will achieve nothing toward this goal. Indeed, unless UEFI contained signatures for all Windows system files, I'm quite certain that it would be fairly easy for an interested party to circumvent. After all, the objective of a rootkit is to hide the rootkit from examination, and running one under UEFI would simply require hooking into the OS at points that the UEFI does not check. But no, Bott seems to espouse this technology as magical!

Let's not stop there.

In this article [zdnet.com], Bott's original post immediately presumes that the reports of MSE incorrectly flagging Chrome as malware were the fault of the users downloading compromised versions or installing on a compromised Windows install. It seems that it never occurred to him that it could have been a false positive in MSE until after it was confirmed with MS.

Now, before you tell me that I'm nitpicking, consider this: False positives are not at all unheard of with antivirus software. Avira, Avast, AVG, et al, have been known to flag valid, clean software as potentially dangerous, and most sensible people installing something from a known-good source that claims the source file is not compromised will immediately assume it's a false positive and submit it to the AV company. While Bott did the correct thing in submitting it, he dismissed it as the fault of users simply because he couldn't recreate the problem. Ah yes, not a chance that MS could do anything wrong...

Oh, and then there's this wonderful masterpiece [zdnet.com] in which Bott proudly declares Microsoft's victory. While this may be true--Linux on the desktop is unlikely to become a reality--you have to dig a bit to find that he concedes, quote, "On the server side, of course, Microsoft continues to acknowledge that Unix and Linux are strong competitors." You can tell he was salivating over the prospect, though, never mind that Android is, essentially, Linux under the hood.

And what about his article The Hidden Costs of Running Windows on a Mac [zdnet.com]? Not only does he go out of his way to point out that you have to buy licenses (hint to you, Mr Bott: you're still buying OEM Windows licenses when you buy a Dell), but he points out possible performance issues and the likes. Honestly, I think this is a true shill piece; if someone has decided that they want to run Windows on their

Re:

[benjymouse]

He claims that UEFI will magically prevent rootkits from working simply because the BIOS will then be able to detect mangled files. I'm not sure Bott fully understands the purpose of a rootkit, but if one were well designed, UEFI will achieve nothing toward this goal. Indeed, unless UEFI contained signatures for all Windows system files, I'm quite certain that it would be fairly easy for an interested party to circumvent.

Ed Bott is right and you are wrong. You believe "signatures" is hashes (because there is no code signing in Linux?). They are not hashes, code/file signing is based on asymmetric keys for integrity protection and is pretty solid (unless you let Debian developers modify the code for key generation). The UEFI firmware will have a table with approved public keys. Any bootloader and its data will have to be signed with one of the corresponding private keys if secure boot is switched on. The bootload'er vendor c

Re:

[benjymouse]

First, you're missing the whole point. Root kits don't come in through the boot loader. That was the way it was done when DOS was the most used OS. Instead, they either use an exploit against the OS, or simply uses Administrator privileges to hook into the system (many users are still running as Administrator, and those who still have UAC turned on, have no idea when it's ok to click "allow".

You should have followed along then. Windows (the x64 editions) since Vista is using kernel and driver signing. The kernel will *not* load from a cabinet file unless the cabinet is signed with a key trusted by the kernel. Furthermore, the kernel will *not* load a kernel mode driver unless it has been signed using a valid code certificate issued by a trusted issuer (e.g. Verisign).

This means that a rootkit cannot tamper with kernel executable files or cabinet files in order to insert itself during boot. As s

Re:Ed Bott

[bmo]

For many years, Ed was on the side of SCO. His typical characterizing the FOSS crowd as dirty unkempt, unwashed hippies over the same years, and his continual use of the word "freetard" was, and is, reprehensible. And yes, there is a lot of it, which is why I don't want to go diving in the filth.

Not reasonable in the least.

If you read the post I put up here that had the quote from Florian, Florian lists almost all the "paided" shills for Microsoft and calls them "smart" thus aligning himself against FOSS and with Microsoft. Ed Bott is one of them. He left out Paul Murphy, AKA Rudy de Haas.

And that's not ad-hominem.

There is a lot of animosity from people like me that people like them earned.

--
BMO

Wow, quite the article...

[fuzzyfuzzyfungus]

While nice, if true, to hear that OEMs will be doing (part of) what people would like to see(specifically, having an option to disable 'secure boot' is better than nothing; but what you really want is the option to do a keyfill with trusted keys of your choice: signed boot components make good sense, it's just not being able to choose who is trusted to sign them that is an issue); this article could hardly be any smarmier or less informative.

"In response to the FUD campaign of the freetards, I asked some PR people. Dell said 'yes', HP emitted word salad, AMI said that they would do whatever their customers felt like. Case Solved!" If it weren't for the smirking invective, the whole thing could have been boiled down to a single paragraph(or, heaven forfend, bulked out with technical information...)

Re:Wow, quite the article...

[hedwards]

At that point, you might as well ditch it completely and just have a special boot chip that can be made writable via jumper and most of the time set to read only.
It would solve the problem without the need for such a scary possibility as the vendor being able to lock you out of your OS of choice.

Re:Wow, quite the article...

[fuzzyfuzzyfungus]

As best I can tell, EFI was what happened when somebody looked upon the BIOS, saw that it sucked compared to the OS, and decided that(rather than building a new firmware aimed at getting into the OS as simply and quickly as possible) they would build a BIOS large enough to possess every vice of an operating system and leave implementation to the capable hands of the PC OEMs, whose dedication to software quality is legendar...

Re:

[Microlith]

EFI is what happens when Intel (rightly) concludes that switching to a new architecture, IA64, would allow them to abandon all the problems of x86 and thus eliminate the then 20 year old BIOS in favor of something more capable. It is also what happens when Intel goes hugely NIH and decides to create something almost, but not quite, like OpenFirmware.

large enough to possess every vice of an operating system and leave implementation to the capable hands of the PC OEMs, whose dedication to software quality is

Re:

[Microlith]

The primary benefits come in when you're a major system buyer needing to administer many machines, possibly before the OS comes up. But it's better than the BIOS as a whole due to not being limited to the 16-bit modes of the CPU, instead switching rapidly into the 64-bit environment immediately, far easier to develop option ROMs for, and if set up properly, and with properly written option roms (a.k.a. drivers) can boot much faster.

Of course, all of this could have been had with OpenFirmware but Intel decid

Re:

[wzinc]

I think the issue is n00bs will try Linux for the first time, fail, and think it's no good. Ubuntu, etc will have to plaster "turn-off SecureBoot" all over their site. Of course, like most BIOSes, it will be poorly translated, and you'll have to hunt all over for the right setting. People are always saying how closed Apple is on this site, but they specifically wrote a BIOS emulator so you could run Win/Linux on a Mac. Apple will be the most open hardware maker after this!

Re:

[znerk]

Ubuntu, etc will have to plaster "turn-off SecureBoot" all over their site.

... which Microsoft can then point at as an obvious indication that *nix is evil and/or insecure.

Re:

[lanswitch]

It's not up to the U.S. market to decide whether all pc's should be running SecureBoot. Would China go along with Secure Boot, or would they just design and build their own PC's?

Not really that surprising

[robot256]

After all, when you're simply pushing commodity hardware with no particular value added, adding "can run non-Windows OS" is just another bullet-point feature you can add to your list, and one that even normal people will look for "just in case" they want to try out this Linux thing or whatever. What's the point in locking yourself in if there isn't anything special about the hardware in the first place? Even Apple doesn't limit what its hardware can run, only what its OS will run on.

Besides, there are plenty of enterprise customers running Linux servers and workstations, so making that an option would just add uncertainty to the supply chain and make those customers uncomfortable.

Re:Not really that surprising

[betterunixthanunix]

even normal people will look for "just in case" they want to try out this Linux thing or whatever

The last time I dealt with a "normal person" buying a computer, the conversation went like this:

Me: "...this has 2 gigabytes of ram, which should last you a few years."
Her: "It's so ugly! What about that one, that one looks prettier!"
Me: "That one has a lower end processor and less memory. Are you sure you want something that is less capable?"
Her: "Look they are letting me pick the color!"

Non-technical people are just that: non-technical. Computer makers and especially Apple know exactly how to take advantage of such people, which is what "secure boot" is all about. This is about ensuring that customers can be locked into DRM-laden platforms, plain and simple. Dell will probably have the option described in TFA...in their high end workstations, that are prohibitively priced, with the option disabled for "consumer" systems. My guess is that this will not happen in the first generation of systems with "secure boot," but more likely in the second or third generation, when more "strategic" platforms are deployed out of the box for which DRM is a key part of the control.

Re:

[Velex]

Her: "Look they are letting me pick the color!"

My case is transparent purple, you insensitive clod. Seriously, going on 12 years, I've had a matching purple power strip and case. Otoh, when I first built my system it was and AMD Thunderbird with a Voodoo 5 Video card. It was pretty kick-ass at the time. These days I have tons of ram, tons of processor, tons of everything, and the best part is, I still have a matching purple case and purple power strip!

Boys.. you just don't get it. Girls.. you don't get it either. I guess I don't know what my po

Re:

[Ltap]

Mod parent up. The ability to boot a different OS will become a feature for "serious users" that costs thousands of dollars. The days of installing Linux on older desktop systems for hobby purposes will be over unless someone cracks this stuff.

Re:

[fahrbot-bot]

Me: "...this has 2 gigabytes of ram, which should last you a few years."

My preference would be for RAM that lasts longer that a few years...

Re:

[mehrotra.akash]

I have personally seen a gril going and asking the salesman : which of these laptops are available in pink After that she bought the one with the least weight among the pink ones She did not check the config even once

Re:Not really that surprising

[Gerald]

I'm confused. Are we supposed to go "tsk tsk" and be dismissive or be impressed that she had clear and concise specs which the vendor was able to meet?

Re:

[mug funky]

in a dept store, the laptops all have the same features, save for some corner cases.

there's no shame in "just wanting something to browse on, and maybe some other stuff". if that's what you want, then every machine in the store is good enough.

given that, why on earth wouldn't you choose the prettiest, lightest, cheapest one (though i'd include battery life as well, because using these things in bed with the power plugged in causes awful things to happen to the power jack).

my wife's getting an iPad 2.0. sh

Re:

[kimvette]

For all you know, she could be a hardcore geek, and just wanted a cheap notebook she doesn't care about to surf the web at Starbucks.

Not all notebooks have to be powerful enough for realtime 3D modeling and nuclear reaction simulations. :-)

Not everyone needs higher end hardware

[perpenso]

I have personally seen a gril going and asking the salesman : which of these laptops are available in pink After that she bought the one with the least weight among the pink ones She did not check the config even once

And if she is just going to browse the web, maybe use an email client (more likely web based email) and maybe run the bundled word processor what is the problem? I think we are long past the point where even the most modest computer at the local retailer has performance far beyond the needs of casual users. Hell, a tablet plus a bluetooth keyboard is probably an option for many such users.

Re:

[jejones]

"What's the point in locking yourself in if there isn't anything special about the hardware in the first place?"

Don't you remember Microsoft's campaign against "naked PCs" [zdnet.co.uk] (i.e. computers sold without an operating system)? I'm sure that we'll see a similar campaign for OEM systems and motherboards set up to preclude installing a non-MS operating system.

There will be Linux friendly motherboards ...

[perpenso]

Normal people would not care if the system could run Linux. They don't know how to use Linux, they probably don't even know what it is.

In any case, if the computers found in retail establishments are locked down to run only Windows it hardly matters. Motherboard manufacturers like ASUS, Gigabtye, MSI, etc will surely offer motherboards that are Linux friendly. They already produce motherboards and other products targeting the hobbyist market. Don't want to screw together your own computer? Well there hav

Load your own keys?

[tchuladdiass]

I want to leave secure boot enabled, but put me in charge of the keys. That is, I want to load my own public keys into the system (through a secure channel, such as a bios screen or flipping a physical switch, for example).

Re:

[fuzzyfuzzyfungus]

You crazy consumer, you. Next you'll be wanting to know your TPM's private endorsement key.

Re:

[tchuladdiass]

The point is to know that what I'm booting up is what I installed. You know that thing that was invented back in the 80's or so, called a "boot sector virus"? Yes, I know it's kind of hard to get one of those installed on a Linux system, but there are a number of server systems that have been "owned". Right now if I suspect that something is fishy with one of the servers I'm tasked with maintaining, it would be nice to know that all the automatic validity checks I put in starting with the initrd image on

Re:

[sjames]

Most people don't actually need it at all and should just turn it off. However, others might actually find the feature useful if it exists and they can manage trust on it. Otherwise, it should be left out entirely. Why should I pay for a "feature" that can only act counter to my wishes?

I doubt that Microsoft would try this

[MrKevvy]

They were successfully sued (albeit more of a slap on the wrist) for antitrust violations simply for bundling a browser with an operating system.

Colluding with hardware manufacturers to actually lock out rival operating systems making them an enforced monopoly is several orders of magnitude more severe. Why would they risk that when other operating systems have such a tiny market share anyways? The possible penalties are not worth it for a small increase.

Re:

[hedwards]

The difference is that MS is requiring secure boot for a special logo, but not telling manufacturers whether or not to allow other oses to be installed. In practice, I wouldn't be surprised if some vendors opted not to allow people to turn it off or provide alternate keys.

Re:I doubt that Microsoft would try this

[walterbyrd]

MS would just say that the hw makers decided to do it. Besides, MS never gets more than a slap on the wrist.

Why would MS do this? The same reasons that MS funded the scox-scam, and bribed officials in the OOXML scam.

Re:

[gman003]

Besides, MS never gets more than a slap on the wrist.

Not in the US, but the European Union is pretty good at it. Back in 2008 they fined the company over 10% their annual revenue, just for bundling Windows Media Player.

Re:I doubt that Microsoft would try this

[Lando]

I may be way off base here, but though Microsoft was declared to be an illegal monopoly, wasn't their punishment settlement basically an agreement that gave them more control and profit than they had before? I'd have to go back and read through the documentation. That being the case, wouldn't it be in Microsoft's best interest to get in trouble again. Either way, it would be 10+ years before the case went to trial and by that time it would be the defacto standard .

Re:

[gman003]

That's on the desktop. Which, admittedly, is a major source of revenue for Microsoft, but not the only one. On servers, you're looking at about a 50/50 split (plus or minus 30%, depending on how you define "server" and who's paying for the study). Microsoft is definitely threatened there - they may even be the underdogs in that case.

Disabling secureboot implys a Non-Win OS is risky

[Anonymous Coward]

The requirement to disable Secureboot in order to run a non-Windows OS will imply that the other OS is less secure. Just another way for M$ to try and make the hardware pseudo-proprietary. This is not much different than the 'Windows Key'. Ask yourself, Is this an attempt to incorrectly solve a problem that doesn't exist or just another FUD tactic from a behemoth corporation?

Re:

[Microlith]

It will be true, but not the fault of the OS (rather, an unfair and untrustworthy means of key distribution.)

No, that's not a solution

[liquidweaver]

Disabling secure boot is not a solution - it's crippling the security, needlessly. I'd love to hear my Dell rep explain to me on my next round of server purchases that I cannot use a fantastic feature to protect the security of my linux servers because they were too lazy/corrupt to enable me to use my own platform key. I will buy from the vendor who allows my to set the PK, and will not from those who refuse. Period.

Re:

[Penguinisto]

I get the feeling that, come your next server RFP, your HP and Dell sales reps are going to ask you which secure boot version you want - Windows, ESXi, RedHat, or SuSE (maybe, but only because Intel has a hard-on for it as their own preferred server distro). You really won't have any other alternative.

'course, that's going to limit the flexibility, and require you to buy a new server (or buy some sort of firmware/EFI flash utility) whenever you put another OS on it. Then again, considering that you'll be bu

Re:

[betterunixthanunix]

I get the feeling that, come your next server RFP, your HP and Dell sales reps are going to ask you which secure boot version you want - Windows, ESXi, RedHat, or SuSE (maybe, but only because Intel has a hard-on for it as their own preferred server distro). You really won't have any other alternative.

I doubt it, there are too many businesses that need to be able to run whatever they want on their servers. Right now businesses want more flexibility, not less.

What you can bet on, though, is that you will never be allowed to use any of those servers to play movies, music, or video games. The split between "consumer" systems and "enterprise" systems is going to be enforced with secure boot. Consumers will not be able to install their own OSes, or if they do disable or modify secure boot, they will p

Re:

[Bengie]

ROFL. You must be new to IT.

Booting from the Network, boot up memtest, booting up WinPE, booting up Spin Rite... All are not signed OSs.

The day IT can't use their tools on the computers is the day billions of dollars of computer orders will suddenly stop going to OEMs.

So, you are absolutely sure that OEMs are going to abandon enterprise customers because they didn't want to pay an extra $0.01 per computer to allow an option to disable secure boot? Think about that for a bit.

In other news, vaccinations don't

Re:

[mystik]

Remote attestation will verify the trust all the way to the root platform key, be it Microsoft's or another vendor.

The power to install my *OWN* key, means *I* have the power to trust that *my* server, with *my* software has not been compromised. This is kind of a big deal, and helps protect against all sorts of rootkits.

A toggle that is simply "Use MS's Key" and "Use no key at all" is not an acceptable option.

Missed the point

[betterunixthanunix]

If your computer is going to run consumption-oriented software, then a priori its owner is assumed to be untrustworthy. This is indeed a security engineering problem: they want to prevent a repeat of the CSS key leak, which was only possible because DVD playing software could be examined. If you choose not to forfeit that sort of control over your computer, you will simply not be allowed to play new movies (not immediately; think 20 years into the future).

"If large numbers of people are interested in

Re:

[Lehk228]

chip still holds the key, a fancy enough antenna(narrowly directed, multi pickup, and a high speed sampler) and a decent AI should be able to pry the key out of the chip by analyzing the electronic noise it makes

Duh

[bigstrat2003]

There's never been any real reason to believe that locking down of this feature would happen, apart from FUD. This whole thing is a tempest in a teapot, and it's frankly sad to see how many members of the community are willing to believe that "on by default" necessarily means "unable to turn off".

Re:Duh

[Sasayaki]

For now.

Features like this tend to creep their way in slowly.

- It's something you can turn on.
- It's on by default, but you can turn it off easily.
- It's on by default and you need a CS degree to turn it off.
- It can only be turned off by hacking your system.
- It can only be turned off by hacking your system, and this is illegal to do.

Re:

[Microlith]

Damnit. Posting to clear bad mod :(

Re:

[exomondo]

For now.

Features like this tend to creep their way in slowly.

- It's something you can turn on.
- It's on by default, but you can turn it off easily.
- It's on by default and you need a CS degree to turn it off.
- It can only be turned off by hacking your system.
- It can only be turned off by hacking your system, and this is illegal to do.

out of interest, where has such a thing followed that progression?

Re:

[Penguinisto]

Gaming consoles for starters. Used to be you could mod the unholy crap out of 'em, mod others' boxes, and nobody would care.

Do it now and you're screwed for most online uses of the device. Pass it around, and you're under arrest.

Re:

[exomondo]

Gaming consoles for starters. Used to be you could mod the unholy crap out of 'em, mod others' boxes, and nobody would care.

Do it now and you're screwed for most online uses of the device. Pass it around, and you're under arrest.

Yeah but was never something you could just flip a documented switch to turn on/off, unlike Secureboot or any other BIOS features.

CS degree? try MS CERT to trun on boot os MS old o

[Joe_Dragon]

CS degree? try MS CERT to trun on boot os MS old or IT CERT / TECH SCHOOL / IT license to trun on boot Linux.

any ways windows lock in with app store lock in will be a MAJOR Anti trust issue.

Also there are industrial systems ruining old software / hardware that will be need to be on there own and I don't think people will like having to be locked into coding for what even UI MS wants to force on you as part of there locked down app store for your system that is running industrial systems.

What about nuclear p

Re:

[styrotech]

Well if MS has no incentive to push this agenda, why don't they seem interested in adding one clause to their requirements that would eliminate even the potential for slippery slopes.

All they have to do is require that all OEMs give the user the ability to control this (which is most OEMs will do anyway). The whole issue goes away and nobodies default security is any less than it would've been anyway.

After all, even Windows only users should want that control over their hardware - who the hell trusts OEMs n

Re:

[TechyImmigrant]

>There's never been any real reason to believe that locking down of this feature would happen, apart from FUD.

This is untrue. An OEM can control whether or not the purchaser can control the keys and trust list on the hardware they sell. There is nothing about secure boot that forces the OEM to take one action or another. Locking down of the feature might well happen on some platforms. Check before you buy.

Re:

[bigstrat2003]

The fact that it is possible for something to occur is not a reason to believe that it will occur. It's possible that I'll take horrible offense to one of your posts, engage in some drawn-out process to hunt you down in real life, and murder you brutally. You'd be a fool to spend even a moment's thought worrying about it, however, because such an event is exceptionally unlikely.

Re:

[exomondo]

>There's never been any real reason to believe that locking down of this feature would happen, apart from FUD.

This is untrue. An OEM can control whether or not the purchaser can control the keys and trust list on the hardware they sell. There is nothing about secure boot that forces the OEM to take one action or another. Locking down of the feature might well happen on some platforms. Check before you buy.

An OEM can completely lock you out of the BIOS too, this is no different.

Re:

[DarwinSurvivor]

Or they're just making DAMN SURE it won't by making everyone aware of the possibility.

Re:

[betterunixthanunix]

There's never been any real reason to believe that locking down of this feature would happen, apart from FUD

Yeah, because we never saw a company try to pull something like that...

http://en.wikipedia.org/wiki/Xbox [wikipedia.org]
http://en.wikipedia.org/wiki/Playstation_3 [wikipedia.org]
http://en.wikipedia.org/wiki/Nintendo_wii [wikipedia.org]

Let us not forget that media consumption is widely considered to be a strategic area for personal computer vendors to move into. We are going to be seeing more and more entertainment moving to PCs, and hardware and software makers can make their systems more competitive in the entertainment marketplace by lock

Re:

[clarkn0va]

hardware and software makers can make their systems more competitive in the entertainment marketplace by locking down their products.

O the irony of that statement! And yet I concede that in this twisted world you are indeed correct.

Re:

[betterunixthanunix]

As a corollary, the fact that something vaguely similar has happened in a not-entirely-related arena is not a reason to believe that the event will occur

Not entirely related? Let's see...

• Gaming is a billion dollar industry on both consoles and on PCs.
• The business strategy surrounding PCs is based on media consumption, for which DRM has never been taken off the table.

In general, when large companies with entrenched interests in marketing their platforms to music and movie studios talk about security, it is safe to assume they are talking about the security in the context of preventing people from doing certain things with their computers. Blizzard has

Re:

[bigstrat2003]

Not entirely related? Let's see... Gaming is a billion dollar industry on both consoles and on PCs. The business strategy surrounding PCs is based on media consumption, for which DRM has never been taken off the table. In general, when large companies with entrenched interests in marketing their platforms to music and movie studios talk about security, it is safe to assume they are talking about the security in the context of preventing people from doing certain things with their computers. Blizzard has invested significant resources in this sort of security, to enforce the rules of their video game and ensure that people have paid the appropriate fees.

That's not entirely related, as I said. What happens on gaming consoles has some relevance to what happens on general-purpose PCs, but not total relevance. They are not the same market, and it doesn't follow that a trend in one will happen in the other.

Does this count?

Not in the least. Even if your link showed that there was an incredible concerted effort to cram DRM down the throats of unwilling consumers everywhere (which it doesn't, the existence of the consortium described there doesn't tell us about their actions), it

Re:

[Microlith]

Even if your link showed that there was an incredible concerted effort to cram DRM down the throats of unwilling consumers everywhere

And yet, in the face of DRM system after DRM system being introduced, you deny that the industry isn't explicitly taking this route? HDCP was created by Intel, this boot lockout method was developed by a consortium including Apple, Microsoft, and Intel as the biggest players. Virtually every ARM chip includes such system-crippling capabilities and it is regularly deployed. Mic

Re:

[makomk]

If you've got an OEM machine, you probably can't change most of the BIOS settings. A lot of OEM BIOSes even do things like disabling virtualization and removing the option to re-enable it.

No. Its worse than it looks.

[unity100]

If it was something that was really locking linux out in an apparent fashion, matter could be taken into courts.

But now customer is not prevented from doing it - but, this time will need to be able to get into bios, turn it off, and only after that install linux.

as you can readily agree, vast majority of computer users would not even know what 'bios' was. so, if a non-tech person from idaho was recommended linux, and got ahold of a cd and attempted to install it ............ go figure.

This situation will make it slower for linux proliferation in mainstream, due to the tech aptitude threshold. And conveniently too - you cant argue against it because if someone knows what a bios is and what is the setting for allowing other oses, s/he can do it. if not, s/he can not. so convenient.

Will windows 7 run in SecureBoot mode? as if not

[Joe_Dragon]

As if SecureBoot needs to be off for windows 7 to boot then OEM will be just about forced to have it off or at the very least on the business line.

Even then for home use let's see windows 8 metro ui may be a no go for
*metro app only in metro ui, so no steam, no iTunes, and other apps in metro mode.
*app store lock in and censorship for metro apps.
*no multitasking as it is now in metro mode.

I think people will go back to 7 or say 7 is fine.

Re:

[tepples]

As if SecureBoot needs to be off for windows 7 to boot

Unless Microsoft releases a service pack that adds UEFI Secure Boot support to Windows 7.

*metro app only in metro ui, so no steam, no iTunes, and other apps in metro mode.

Then press the Windows key to bring up the desktop.

missing the obvious, here.

[texaport]

it is really just a plot to keep my reverse-Hackintosh from coming to market. I cannot see how we will ever have an inexpensive, stand-alone Mac running Windows 8 (ie., free from Bootcamp, VMWare or Parallels) Well played, Microsoft.

Unacceptably thin concession

[mysidia]

Dell plans to have a BIOS switch to allow SecureBoot to be disabled,

Can you please remind me again... what percentage of the average user population knows how to change a BIOS switch?

Currently they can just pop in their knoppix CD or try Ubuntu with a Live CD; No expertise regarding BIOS settings required (normally).

What we have here is an anti-competitive practice being endorsed by Microsoft in the form of a logo validating "Secure" boot.

This is a low blow, and a shoddy attempt to ward away other

Re:

[Bengie]

"Currently they can just pop in their knoppix CD or try Ubuntu with a Live CD; No expertise regarding BIOS settings required (normally)."
Currently they can just run their favorite malware and screw their computer; No expertise regarding BIOS settings required (normally)

I use to be able to run any config I wanted, but now they have all of these "users" and stuff to help keep my machine more secure. Passwords, Users, encryption, tokens, all of this stuff is just trying to make things more confusing. I should

Re:

[gregrah]

This just isn't a concern for me.

Installing and configuring Linux is difficult. Some slashdot readers will disagree with me, but as CS degree-holder and Linux user who has spent hundreds of hours troubleshooting fresh Linux installations on my own machines (and in several cases reverting back to windows because of some deal-breaker hardware incompatibility issue), I can confidently say that I would NEVER recommend to any of my family members that they attempt to install Linux on their own.

In othe

please keep in mind

[Truekaiser]

we are at least a year away from 8 being released. plans change and they might change their minds. it would be pref-able that NO motherboard had this option to start with.

Another Benefit

[no-body]

Even if it can be disabled, great FUD argument is that all which disables it is UNSAFE!

It's an ongoing turf war.

self-described

[PopeRatzo]

From the comments at the ZD story:

Protecting 99% of users is more important than catering to the whims of a whiny 1%.

Where have we heard that before?

Can you believe Microsoft is using the language of Occupy Wall Street to try to position itself as the "masses" fighting the "whiny 1%" of people who prefer OSS?

ZDNet, Ed Bott, and some Microsoft executives all need to burn in hell.

Microsoft Tax

[Rie Beam]

What about license agreement? I remember the whole "Microsoft Tax" issue a few years back, where it was basically determined that if you purchased a computer and did not approve the license, you could get a refund on the operating system software (i.e., Windows).

If I purchase a computer and have no plans to dual-boot Windows and Linux, how is this not forcing an illegal tie-in on the consumer? In that I literally cannot opt out of using a Microsoft product? Didn't they -just- have huge lawsuits about this a

This shouldn't be an issue

[Dogun]

I don't see why linux can't adapt to these boot protection schemes. Self-signed or vendor signed, as long as there's a way to import your key information, what's the issue? Frankly, code signing is a good thing, especially if you can perform it from the ground up.

I understand the anxiety, here, especially given that Sinofsky is not a popular figure and nobody wants to trust any initiative he backs. That having been said, MS (and partners) would be opening themselves up to swift antitrust action again if th

Just need self-signing

[pslam]

The solution is obvious: allow installation of your own root certificate. This is supposed to be for security, not vendor lock-in. Without this option, I simply don't believe their intent.

Journalists are Stupid

[Doc Ruby]

Of course if some big tech corps, that have lived through a decade and more of Microsoft subject to restrictions for abusing its PC monopoly, tell some journalist that they're not going to help Microsoft compete unfairly with Linux then they must be telling the truth.

Journalists are stupid. Especially when they expect the rest of us to be as gullible as they are for a living.

Reality

[DaMattster]

The story leaked and PC manufacturers became concerned over public outcry and lost sales. I am not naive enough to believe that the thoughts of a locked down boot loader never was given any serious consideration by MS and the hardware manufacturers.

Next they'll want Windows 8's birth certificate

[FyberOptic]

This is such a ridiculous conspiracy that only Microsoft haters could have roused up so much in people. Microsoft doesn't have the control over PC manufacturers as people seem to think based on all of this nonsense. And manufacturers aren't idiots; they know that they sell plenty of hardware to corporations, networking/hosting companies, research labs, etc, and they know that those clients need machines which can run alternative operating systems without all of this implied dicking around.

What I think it

Re:

[betterunixthanunix]

How about the freedom to choose an independent mechanic?

http://en.wikipedia.org/wiki/Motor_Vehicle_Owners'_Right_to_Repair_Act [wikipedia.org]

When you switch from hard drive first to CD first

[tepples]

You need to get into BIOS to switch from hard drive first to CD first or USB first anyway. What's the big deal from switching from "hard drive first, secure boot on" to "CD first, secure boot off" or "CD first, import new bootloader key from CD"?