Ramblings of an old Doc

Claiming security as the reason, MS’s new OS W8 won’t allow “Dual Boot”. OK, no tragedy, right?

OEM systems shipping with Windows 8 will have secure boot enabled by default to only load verified operating system loaders during boot time. This prevents malware from switching the boot loader, but also other operating systems that are not signed from being loaded. According to the gHacks article I read (among others), this is only a issue for UEFI systems, if you plan to upgrade an existing system with BIOS you won’t be affected by it.

This is the foot in the door. How long will older Bios systems be around, especially when unknowing consumers get the spiel about how much more secure the UEFI systems are?

UEFI is touted as a more secure replacement for the older BIOS firmware interface, present in all IBM PC-compatible personal computers, which is vulnerable to bootkit malware.

While Windows 8 certification requires that hardware ship with UEFI boot enabled, it does not require users to be able to disable the feature (which can be done) and that it does not require that the PCs ship with any keys other than that of Windows. The main problem that the Free Software Foundation (FSF) sees is that Microsoft defines consumers as the hardware manufacturers and not the little guy at the store who actually buys the computer. MS sells OS’s, not computers.  MS is giving the manufacturers the power to decide how to implement the feature. That’s where the problems will come in:

  • Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
  • Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
  • Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
  • A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems. – M. Garrett, Red Hat

 

This will mean that you are no longer in control of your PC and might well not be able to switch graphics cards, nor hard drives, printers, sound or network cards:  All hardware that would otherwise be compatible with the PC won’t function because of missing signing keys in the OS.

That will be the purveyance of the computer manufacturer and any deal it may have made with MS (and anyone else). Proprietary hardware might see a heyday never before imagined. The opposite for software like OS’s, and perhaps browsers. No one should have the power to determine that for you:

“The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.” – M. Garrett, Red Hat

The biggest problem that will create (besides from a lack of competition) is that the consumer would have to do hours of research as to what hardware and software he or she could use with his or her system, which keys his/her machine has enabled for what. That’s ridiculous. How many people understand Pkek keys and couldn’t change them even if they did. It’s also way too limiting. Arguably, this is in restraint of free trade.

The Free Software Foundation wants people to urge computer manufacturers to enable the keys to allow software such as those for other OS’s and other software to be enabled. I agree, and anticipate you do as well.

What about Stardock’s software? Will you be able to install it? Will it be allowed to work on boot?

“Those who would sacrifice freedom for security soon have neither”, said Ben Franklin so long ago. How right he was. In so many ways.

By the way: Does anyone seriously think the hackers won’t find holes in the UEFI? I promise you they will. Then what will we have?

No security and no freedom.

I recommend you follow Martin Brinkmann's gHack.net website. It is a source of excellent reviews and commentaries.

Source:

http://www.ghacks.net/2011/09/23/windows-8-boot-security-and-third-party-operating-systems/

http://mjg59.dreamwidth.org/5552.html

http://mjg59.dreamwidth.org/5850.html


Comments (Page 8)
9 PagesFirst 6 7 8 9 
on Oct 31, 2011

kona0197
Perhaps the Windowblinds programmers can have the skins install to a different location. It's that simple I would think. 

It's set up to default to the public folders so you can access the skins from any profile on a PC. A lot of folk only have one PC and have multiple user profiles for everyone in their household. If the skins are in one shared location you don't have to waste drive space by having individual installs under each profile.

on Oct 31, 2011

Makes sense. However I don't think Microsoft is forcing people to use the public folders.

on Oct 31, 2011

Why not during install ask the question for this user or all users/ I know some programs already ask this question.

on Oct 31, 2011

kona0197
Starkers: I don't use any skinning apps so nothing is stored in my public folders.

Oh, to have such a simplistic and uncomplicated take on things!   However, that's where we're different!  I refuse to accept mediocrity [the default Win UI] and therefore dress my desktop to suit my personal preferences.

As for moving my skins, don't you think I would if I could?  As Doc rightly stated, if the skins are moved then the apps do not function... period.

kona0197
my point was that Microsoft isn't forcing anyone to use the public folders and they can be deleted.

Again, wrong!  MS wishes its partners and other developers to default to the Public folders.. and what MS wants it gets, it's as simple as that.  So, kona, if you ever decide to install a 3rd party app which is required by MS to install its program extras to the public folders, and you have deleted them, then you're going to have all sorts of fun and games and would likely be on here seeking advice as to what went wrong.   They're there for a reason, whether or not we agree with it, and to delete them [they're actually system folders] would be foolhardy

If I recall correctly, Impulse would let you choose another folder other than the default for installing skins, at least on XP.

Sadly, no, not in Vista or Win 7.  It was with the advent of Vista that things changed, and MS required developers and users alike to utilise the public folders... so ALL users could access files, etc.... though making it the default on a single user PC makes no sense at all, particularly with smaller capacity SSD's emerging as the preferred OS drive for many users.

OldMsgt
Why not during install ask the question for this user or all users/ I know some programs already ask this question.

Now this is a suggestion that actually makes sense... because it gives 'single' users the option to install to locations other than the default 'shared' location. However, I think the preferable method would be for MS to give users the option of single OR multiple users during the Windows installation, so that if I tick the single user option I have NO public folders and I can install items of my choosing to locations of my choosing.

There is NO public on my PC to share with, so I resent the fact that MS deemed it appropriate to even place public folders on my single user PC by default... and to make them the default repository for a range of files that I share with absolutely no-one is downright rude, if not dictatorial.  So yeah, I want MS to start listening to me as a user, everyone else who despises it,  and remedy this horrible public folder by default situation to suit US

on Oct 31, 2011

Starkers - I have loads of 3rd party software. Only one ever installed something to the public folders and that one was trial ware that came with the PC. And if I delete the public folders they are simple to re-create.

Besides my point was that Microsoft isn't forcing anything upon you. You don't have to use Windows, or a version that has public folders.

on Nov 01, 2011

kona0197
Starkers - I have loads of 3rd party software. Only one ever installed something to the public folders and that one was trial ware that came with the PC.

Like I said before, how nice to have such an uncomplicated life and simplistic view of things.  Obviously you don't have libraries of things that Microsoft deems you should share with everybody, so yes, your public folders are/would be empty.  Again, kona, my skin files ARE placed in Public Documents because Microsoft REQUIRES 3rd party developers, such as Stardock and WinStep to default them there.  So, if I want to skin my UI because the default UI is butt ugly, Microsoft is in fact forcing me to install and maintain public folders I would rather NOT have.

kona0197
Besides my point was that Microsoft isn't forcing anything upon you.

Okay, here's another, slightly different but still related, one.  If I want to stream music or videos to other devices in my home, I have to place them in the corresponding public folders, otherwise my devices cannot access them. I prefer, due to the limitation of size on my SSD, to store my music and video files on another physical drive, but when I do so my devices upstairs do not see them.  In other words, they MUST be placed IN the public folders for me to stream them to MY media players elsewhere.  Now that, kona, no ifs buts or maybes, is me being forced by MS to store shit in public folders that I would rather not have, period.

on Nov 01, 2011

starkers
Microsoft is in fact forcing me to install and maintain public folders I would rather NOT have.

No they are not. You can choose to install Linux or use a Mac. No one is forcing you to use Windows. You choose to do so. By choosing to do so you also choose to do things their way by default. As for the public folders, I think that's more of a programmer's choice that something Microsoft is doing. I'm pretty sure the developers of windowblinds could change the program to install skins in a different location. After all, XP didn't use public folders and windowblinds worked just fine.

As for your other issue, I have no problems streaming music from a plugged in external source. No need to use public folders.

on Nov 01, 2011

kona0197
No they are not. You can choose to install Linux or use a Mac. No one is forcing you to use Windows.

Perhaps, but to choose Linux would restrict or eliminate many of my current options.... and a Mac at this time is not within my budget.  So while there may be other OS options, Windows is still the OS of choice because it is more widely developed for and therefore more likely to cater to my needs/wants.  Still, that does not mean I have to like changes MS has made to Windows since XP...  one being the installation of public folders that actually detract from my user experience because choices inconvenient to me have been made for me.

Yes, Win 7 is a big improvement on XP in many respects, but the advancements in OS technology should be about choice and empowering the user, not removing choice and hindering his/her user experience.  I also agree that 3rd party devs should give MS the finger and allow users to install their libraries to locations of their own choosing, but I don't know of too many developers who would take such a bold step when MS has the power and clout to make or break them.

kona0197
As for your other issue, I have no problems streaming music from a plugged in external source. No need to use public folders.

Okay, so did you misunderstand what I said.... or did you deliberately put that bass ackwards so as to continue arguing?

Orright, I'll put it another way!  Okay, so I have my main computer downstairs, and on that computer I have a 2tb internal HDD named F: Media Files... and on that drive I store my music, home videos, etc, etc.  Following me so far?  Right!  So, upstairs I have an Emachines netbook which is networked to my main PC downstairs.  Okay?  Now if I wish to view a video that's stored on my downstairs PC, I must first place that video in Public Videos folder on the main computer... why? because the netbook upstairs only has access to the public folders and cannot see F: Media Files.

I also have a network enabled Beyonwiz PVR and a LG BluRay player with a network enabled media player that can play files from my PC, but guess what?  Neither can see F: Media Files.  They can, however, see the public folders, and that's where I have to move files if I wish to view them on other devices.  And no, placing a shortcut to access the media drive from the public folder does not work

As for viewing/playing files from an external plugged in source, well yeah, I can do that too.... I just network it to my main PC and bang, everything on that device is shown in an opened folder. 

So kona, whatever your understanding of things may be, or what is a given situation for you, it doesn't necessarily apply to anyone else, okay?

on Nov 01, 2011

kona0197
I'm pretty sure the developers of windowblinds could change the program to install skins in a different location. After all, XP didn't use public folders and windowblinds worked just fine.

they could but MS change it back in XP's time to not have WB skins in the C:\Program Files\Stardock\Windowblinds(\themes or Skins) don't remember where on XP they went now cause I don't have XP installed ... but in a way you could say it was a Public folder just not named Public  think it might be All Users

 

which is odd beings I don't have to have my Dreams use the default folder I can tell it what folder I want it use

and I use my Slave Master (F:\)  (F:\ObjectDeskTop\DeskScapes) Just like Windows Media Player I tell it to look here at my Slave Master (F:\)  (F:\Music)

 

on Nov 02, 2011

http://www.zdnet.com/blog/bott/leading-pc-makers-confirm-no-windows-8-plot-to-lock-out-linux/4185

Snips -

In an e-mail exchange and a follow-up phone conversation, a Dell spokesperson told me, “Dell has plans to make SecureBoot an enable/disable option in BIOS setup.” (That’s exactly what the FSF is demanding.) Dell plans to move to the UEFI version that includes Secure Boot in the Windows 8 timeframe, although the spokesperson told me it’s far too soon to provide any further details about the company’s plans for Windows 8 PCs.

I also contacted HP’s PC division, where a spokesperson had to scramble to find anyone within the organization who was even familiar with the issue. Although engineers are busy working on Windows 8 plans, product managers and senior executives are still focused on building and selling the tens of millions of PCs that will be sold with Windows 7 in the next year.

The spokesperson confirmed for me that HP has no plans to participate in any conspiracy against a non-Windows OS: “HP will continue to offer its customers a choice of operating systems. We are working with industry partners to evaluate the options that will best serve our customers.”

Those comments are on top of a statement from a spokesperson for leading BIOS maker AMI, who told me last month that ”AMI will advise OEMs to provide a default configuration that allows users to enable / disable secure boot, but it remains the choice of the OEM to do (or not do) so.”

Speaks for itself really - my favorite bit next

No, the real goal of the campaign against Secure Boot is to whip up antipathy toward Microsoft and its hardware partners. And it’s already working.

on Nov 02, 2011

Dell:

Interesting. It doesn't say what will happen if you enable secure boot - because then it will boot 8 only (and have MS Cert).

"the spokesperson told me it’s far too soon to provide any further details about the company’s plans for Windows 8 PCs." means what? It's not saying you'll have a choice, though.

HP:

“HP will continue to offer its customers a choice of operating systems. We are working with industry partners to evaluate the options that will best serve our customers.”

Which means what? That spin is like wet cardboard, savyg. There's nothing that says, "You will be able to choose what you want, and we will explain your options and what they mean clearly." Again, if you choose W8, will you be able to have a dual boot? I think not, unless they allow a "non secure boot", and when they phrase it that way, who'll understand what they're talking about and opt for it? Need I remind anyone what the knee jerk response (especially in America) to that type of question will be?

AMI:

 ”AMI will advise OEMs to provide a default configuration that allows users to enable / disable secure boot, but it remains the choice of the OEM to do (or not do) so.”

Which means? Exactly back to the beginning. This will be in the hands of the OEM's... as I said.

No, the real goal of the campaign against Secure Boot is to whip up antipathy toward Microsoft and its hardware partners. And it’s already working.

Not my goal. Mine is to inform people and to make a plea for an open choice. If it turns out as you think it will, fine! Great! I find little reassuring in those quotes... they are extremely non-committal. 

on Nov 04, 2011

So alternative OS users are too dumb to know how to turn secure boot off eh?

Seriously don't see the problem there.

As far as HP, standard PRspeak.  I doubt they've really given the issue much consideration...it's not worth worrying about when there isn't even a beta to build and test machines against.

You're right, I do think it'll work itself out.  Either way there's really nothing to be done but wait and see.  IMO people are getting worked up over nothing.

on Nov 04, 2011

So alternative OS users are too dumb to know how to turn secure boot off eh?

Not talking about them. Talking about the folks who don't know other possibilities even exist.

 I doubt they've really given the issue much consideration...it's not worth worrying about when there isn't even a beta to build and test machines against.

That's your take, and your right to believe or not, as you see fit. I'm less trusting.

Either way there's really nothing to be done but wait and see.

I'm not favoring passivity in this. I believe the computer customers should make themselves heard.

on Nov 04, 2011

you know, i'm rather mystified why for casual users, it has to disable secure boot, as opposed to making it also work with certain brands of linux, or making linux work with it.

on Nov 04, 2011

DisturbedComputer
which is odd beings I don't have to have my Dreams use the default folder I can tell it what folder I want it use

Yes you can but they will copy themself into the default directory when you run one. Then you have one in your default directory and one in your chosen directory.

9 PagesFirst 6 7 8 9