Ramblings of an old Doc

Claiming security as the reason, MS’s new OS W8 won’t allow “Dual Boot”. OK, no tragedy, right?

OEM systems shipping with Windows 8 will have secure boot enabled by default to only load verified operating system loaders during boot time. This prevents malware from switching the boot loader, but also other operating systems that are not signed from being loaded. According to the gHacks article I read (among others), this is only a issue for UEFI systems, if you plan to upgrade an existing system with BIOS you won’t be affected by it.

This is the foot in the door. How long will older Bios systems be around, especially when unknowing consumers get the spiel about how much more secure the UEFI systems are?

UEFI is touted as a more secure replacement for the older BIOS firmware interface, present in all IBM PC-compatible personal computers, which is vulnerable to bootkit malware.

While Windows 8 certification requires that hardware ship with UEFI boot enabled, it does not require users to be able to disable the feature (which can be done) and that it does not require that the PCs ship with any keys other than that of Windows. The main problem that the Free Software Foundation (FSF) sees is that Microsoft defines consumers as the hardware manufacturers and not the little guy at the store who actually buys the computer. MS sells OS’s, not computers.  MS is giving the manufacturers the power to decide how to implement the feature. That’s where the problems will come in:

  • Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
  • Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
  • Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
  • A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems. – M. Garrett, Red Hat

 

This will mean that you are no longer in control of your PC and might well not be able to switch graphics cards, nor hard drives, printers, sound or network cards:  All hardware that would otherwise be compatible with the PC won’t function because of missing signing keys in the OS.

That will be the purveyance of the computer manufacturer and any deal it may have made with MS (and anyone else). Proprietary hardware might see a heyday never before imagined. The opposite for software like OS’s, and perhaps browsers. No one should have the power to determine that for you:

“The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.” – M. Garrett, Red Hat

The biggest problem that will create (besides from a lack of competition) is that the consumer would have to do hours of research as to what hardware and software he or she could use with his or her system, which keys his/her machine has enabled for what. That’s ridiculous. How many people understand Pkek keys and couldn’t change them even if they did. It’s also way too limiting. Arguably, this is in restraint of free trade.

The Free Software Foundation wants people to urge computer manufacturers to enable the keys to allow software such as those for other OS’s and other software to be enabled. I agree, and anticipate you do as well.

What about Stardock’s software? Will you be able to install it? Will it be allowed to work on boot?

“Those who would sacrifice freedom for security soon have neither”, said Ben Franklin so long ago. How right he was. In so many ways.

By the way: Does anyone seriously think the hackers won’t find holes in the UEFI? I promise you they will. Then what will we have?

No security and no freedom.

I recommend you follow Martin Brinkmann's gHack.net website. It is a source of excellent reviews and commentaries.

Source:

http://www.ghacks.net/2011/09/23/windows-8-boot-security-and-third-party-operating-systems/

http://mjg59.dreamwidth.org/5552.html

http://mjg59.dreamwidth.org/5850.html


Comments (Page 5)
9 PagesFirst 3 4 5 6 7  Last
on Oct 23, 2011

OEMs make many choices as to what they will and won't support in their systems, in terms of both firmware (what BIOS options are available) and hardware (limited or non-existent expansion options, etc). Mass-market OEM machines very frequently only have the bare minimum needed to support the particular model's specs and whatever at-purchase expansion options they offer; aftermarket expandability isn't really something they care about.

All the more reason for people to build their own... or have someone build it for them.  The trouble with that is, however, people are often their own worst enemies.... in that they don't want to wait a day or two for it to be completed and test-run, etc.  In many cases, and I've seen it at my local PC store, which refuses to sell proprietary brand, pre-built computers, people WILL NOT WAIT.  If they can't rip it off the shelf, plug it in and run it, there's simply no sale.

So Doc, while I see your key points and largely agree with them, OEM's need to lift their game, I also see where Kryo is coming from.... his point being that while the masses live in and accept a mass produced, largely throw away world, where it just works and no more, nothing much is going to change.  In other words, if we as a society have accepted mediocrity as the standard, then we get exactly what we deserve.

I build my own computers because I refuse to accept mediocrity when it comes to my PC's.  I may not have the absolute best, fastest machine around, but I do have something that more than meets my needs and then some.  More to the point, I'm not limited or restricted by an OEM design that does not allow for expansion, customisation, upgrading... and I'm not tied to a customer support base that's usually overseas and manned by people I can barely understand.

My very first computer was a Compaq with no upgrade opportunities whatsoever, so when I found it struggling to run the XP upgrade over 98, I decided it would be the last prebuild I ever owned.  My next machine was built for me by my regular tech guy, a P4 based rig, as I recall, but ever since then I've built my own, not to mention several rigs for family members, because they too refused to accept mediocrity when made aware of what is available outside the OEM's.

on Oct 23, 2011

This may of been said already, but can't you just run Virtual PC from Win8 and run an ISO disk image of an older OS?  Who knows, maybe Virtual PC will no longer be compatible with the new OS.

 

Anyway, I for one am NOT joining on the Windows 8 bandwagon.  I bought both Vista & 7 on the first day of their respective releases, and encountered many driver issues and such.  I've learned my lesson.  I won't buy Windows 8 for a long time, if at all.

And what about Stardock Software?  If SD's software won't run on Win8, or it becomes restrictive and featureless, then the hell with Win8.

I for one will not conform and become a "clone" like most mainstream consumers today.  I may of bought my machine from a local Brick and Mortar chain, but I upgraded the crap out of it; with a Solid State Drive, multiple LED lit fans, and even a new power supply.  Any OS that won't allow customization is dead to me!

on Oct 24, 2011

VistArtXPosed
Anyway, I for one am NOT joining on the Windows 8 bandwagon. I bought both Vista & 7 on the first day of their respective releases, and encountered many driver issues and such. I've learned my lesson. I won't buy Windows 8 for a long time, if at all.

I too bought Vista and Win 7 on their respective release days, and I had very few problems with Vista [just my printer drivers] and no problems with Win 7.  In fact, Win 7 pretty much installed everything I needed right off the cuff, so there was no need to go hunting down drivers, etc.  However, whether or not Win 8 installs everything like 7 did, I still very much doubt I'll be updating to it... on release day or any soon thereafter.

That Metro abomination by default completely canceled any though I 'may' have had regarding the next OS from MS.... and with MS beginning to behave like Apple, with its locking of software to specific hardware, the attraction faded fast into obscurity.  Okay, it may only be tied to the OEM's hardware/motherboards right now, but once they get away with that and sales don't suffer too dramatically, there's nothing to say the practice won't spread to non-OEM hardware/mobos.

It is claimed this measure is for security purposes, but anyone who believes that will also believe the tooth fairy will leave them money if they leave their old dentures under the pillow.   For mine, this is an attempt to be Apple, and I hope the anti-trust people nail them to the wall on this one.

on Oct 24, 2011

starkers
So Doc, while I see your key points and largely agree with them, OEM's need to lift their game, I also see where Kryo is coming from.... his point being that while the masses live in and accept a mass produced, largely throw away world, where it just works and no more, nothing much is going to change.  In other words, if we as a society have accepted mediocrity as the standard, then we get exactly what we deserve.

I couldn't agree more... which is why I try to tell people about these issues and get them to understand that they are having choices made for them that aren't at all necessary nor necessarily the best.

There're no reasons whatsoever for OEM's to make these decisions and are never transparent about what they're choosing nor why.

More freedom of choice won't harm them unless their motives are exclusionary, and then they should be put in their place.

I favor customization, as do you or why would we be here?

The only way to prevent mediocrity is to remove the blinders people are wearing. That hasn't been done in the past by the OEM's, nor is it likely to be done by them in the future unless people demand it.

Hence my support for the FSF.

on Oct 24, 2011

DrJBHL
I couldn't agree more... which is why I try to tell people about these issues and get them to understand that they are having choices made for them that aren't at all necessary nor necessarily the best.

And I appreciate your efforts.  While you may only be reaching a small part of the world's computing population, one hopes that word of mouth carries the message far and wide, so that OEM's are forced to lift their game.  If it's one thing I cannot stand in a computer, it's mediocrity and below par systems.

I've worked on a few proprietary machines and I have only one word... um, two words for them... effing frustrating.  For the most part, they are a lot of very cheap parts crammed into a not so large box, and when one thing goes, so do several others.  I had the displeasure of trying to fix one of those Acer mini towers for my nephew when something went wrong, and let's just say the only salvageable part was the DVD ROM drive... everything else was burned/shorted out and totally useless.  Why?  Because there was too much cheap crap crammed into way too small a space without adequate ventilation or cooling.  Those things are a PC disaster waiting to happen.

DrJBHL
There're no reasons whatsoever for OEM's to make these decisions and are never transparent about what they're choosing nor why.

I think the reason for various decision and the lack of transparency is answered in part by the above paragraph.  It is done for cheapness, plain and simple.  The cheapest and nastiest parts are throw them together to make a PC that works, nothing more, nothing less.  How well it works remains to be seen.  For Mr and Mrs Average who just go into some department store and reef one off the shelf, well it probably is good enough ['til it breaks down and Support is somebody they can't understand], but for anyone with half an ounce of expectation that it'll perform half decent, then it will be well below par.... and that's why the OEM's need to be forced into raising their standards.

DrJBHL
The only way to prevent mediocrity is to remove the blinders people are wearing. That hasn't been done in the past by the OEM's, nor is it likely to be done by them in the future unless people demand it.

I do this all the time... that is to advise people to investigate home builds, or a custom build if they have neither the time or ability to do it themselves.  When asked why I explain the pitfalls and restrictions when tied to a OEM build, then I explain the advantages of customisation and upgrade-ability when going with a home/custom build.  I occasionally get the "I can't be bothered with that', but for the most part people like what I say and look into it.... often with my regular PC guy because I recommend him... for the fact that he can do it far cheaper and more professionally than I ever could.

on Oct 24, 2011

This is exactly the reason I won't buy a Mac of any sort (other than not supporting their Evil Empire ), and since the husband is good with building systems and knows what he wants, this shouldn't be an issue for us. It is sad to see Microsoft attempting this, which is why our household will stay with XP, Vista and 7 for the foreseeable future.

on Oct 24, 2011

Definitely glad I build my own PC's or have them built.

on Oct 24, 2011

LadyShrike1
This is exactly the reason I won't buy a Mac of any sort (other than not supporting their Evil Empire

Funny, I thought Google was/is the Evil Empire.... with MS running a very close second.

Anyhow, that's not the reason I haven't bought a Mac.   Despite the Oz dollar being above parity with the greenback, Mac units here in Australia can still retail up to 20% - 25% more than in the US, depending on where one shops  A Mac Mini, for example, starts at $699 here, whereas in the US it retails from $499.  A 21" iMac MC309LL/A  here in Oz starts at $1399, yet the same unit in the US starts at $1199.  That's big a difference and too rich for me, so until Apple treats its Aussie customers on an equal par with its US customers I will not consider an Apple computer.

Yeah, for $1949 I could build myself a PC with all top-end components that would more than rival any Mac, so as much as I'd like to try one out, the price tag puts one on my very low priority list at this time.  Besides, I've already spent my computer budget for this year and much of next when I recently upgraded.

LadyShrike1
It is sad to see Microsoft attempting this, which is why our household will stay with XP, Vista and 7 for the foreseeable future.

I don't know if I'm the only one seeing this, but for mine, Microsoft is making a de-facto grab for hardware... and thus greater control over users and what they do.  Since the anti-trust case that separated Microsoft's interests in software and hardware, it cannot physically manufacture hardware, but this venture would be the next best thing... for MS, that is. 

The attempt to disguise this as a security measure is plain bullshit in my book, and just a way of making it more palatable to industry watchers and users alike.  For mine, new PC technology should be about enabling greater choices, not restricting them, and for that very reason I sincerely hope that the anti-trust people look into this development with a view to blocking it.  If I want to dual boot on my own, fully paid for, hardware, that should be my choice, not MS' or anyone else's.

on Oct 24, 2011

So...Linux is bitching about what is essentially MS following in Apple's footsteps.....

....locking people's computers to specific hardware?

WOW....who'd a thunk it?....

 

Not true anymore.  Apple mac books allow for dual boot and have an easy setup to handle it now. So this is something totally unique.  Before if you were running the old macs where the chip set was not intel or amd then I could see this, but now nowadays.

There is a petitiion  going around to force manfacturers to include the dual boot function in the BIOS mandatory for all machines, so that us who need it have the option.

 

The reason it's so important is when an OS gets old if the machine is good you can still run free distibution software like ubuntu on it, Which is exactly what I've done to my old windows 2003 server and it runs like a charm, a new fan and some heat sinks an OS with a smaller foot print saved me thousands.  

 

Screw that.  Win 8 will not being running in my home unless I need one for work.

on Oct 24, 2011

DarkSide73
There is a petitiion going around to force manufacturers to include the dual boot function in the BIOS mandatory for all machines, so that us who need it have the option.

Well, well.

There you go.... Too bad I haven't seen one yet. 



on Oct 24, 2011

DarkSide73
Not true anymore. Apple mac books allow for dual boot and have an easy setup to handle it now. So this is something totally unique. Before if you were running the old macs where the chip set was not intel or amd then I could see this, but now nowadays.

Ah....but WAS true for the majority of Apple's existence....which is one good reason they're [still] an insignificant player in the PC business...

on Oct 25, 2011


Quoting DarkSide73, reply 69Not true anymore. Apple mac books allow for dual boot and have an easy setup to handle it now. So this is something totally unique. Before if you were running the old macs where the chip set was not intel or amd then I could see this, but now nowadays.

Ah....but WAS true for the majority of Apple's existence....which is one good reason they're [still] an insignificant player in the PC business...

With this stunt from MS, however, we shall see a closing of that gap as Apple's market share increases on the backlash.

I'll bet Bill Gates rues the day he handed over all MS operations to Ballmer and co.... because they're digging MS' grave with a number of iffy decisions.

on Oct 25, 2011

Ah....but WAS true for the majority of Apple's existence....which is one good reason they're [still] an insignificant player in the PC business...

Not in the mobile market, though (MS has fallen flat, there)... and a big part of that market share is price (they are very expensive), as well as the original licensing from IBM...

on Oct 25, 2011

DrJBHL
Not in the mobile market, though (MS has fallen flat, there)

Yes, but then it is a new and different technology field for MS, and when looking at Apple's successes with the iPhone. Microsoft is a very late starter and has considerable ground to make up.... against not only Apple but Blackberry; Samsung; Nokia and etc... not to mention Google's Android.

Again, though, it comes down to the decisions Microsoft makes, and given its recent form without Bill Gates at the helm, it would seem some of those decisions have not been the best... with butt ugly Metro being the default GUI for Win 8 as clear evidence of that, not to mention the dropping of sidebar gadgets and coding its partners and 3rd party developers have built their businesses on.

I really wouldn't care if Apple significantly increased its PC market share, even to 50% wouldn't be unacceptable, it may help bring down the price of Mac's, but at the same time I hope Microsoft lifts its game and listens more earnestly to its customers.  More to the point, that it does not enforce the draconian 'security' measures that WILL take away [OEM] users choices.   So why do I say this when I build my own/never use OEMs?  Because if Microsoft gets away with this one, there's nothing to stop it introducing measures that would adversely affect me, also... other home PC builders, too.

on Oct 27, 2011

Damn Win8 is scary lol I think I'll stick to Win7 for a long time till I see a glimpse of hope in the furture.

 

9 PagesFirst 3 4 5 6 7  Last