On Fri, Sep 23, 2011 at 10:54:31PM +1000, Russell Coker wrote:

If you ran a corporate IT department and had a set of Linux laptops then it would be handy to be able to lock them down to prevent them from being used for gaming, pr0n, etc. A BIOS that could be locked to a GPG key to only load a signed kernel and initrd could be a first stage towards a locked down system.

i havent seen any indication that the owner (i.e. purchaser) of the computer is going to be able to make use of this, only the manufacturer and Microsoft.

Like many technologies this can be used for good or evil.

the evil uses are the overt intent. there aren't even any theoretical good uses yet. seems to me that MS is jealous of the control and lock-in that Apple has over the devices they allow their customers to pay for and partially use. of course, one obvious difference is that Macs have always been a closed or mostly-closed platform. while PCs have always been open. BTW, what effect will this have on addon cards that have a ROM? disk controllers for example? will makers of PCI/PCIE cards have to get approval from MS and/or from every motherboard manufacturer for every revision of every product they make? craig -- craig sanders <cas@taz.net.au> BOFH excuse #178: short leg on process table

On Fri, Sep 23, 2011 at 09:03:28AM -0700, Daniel Pittman wrote:

...

so the "solution" is to prevent installation of competing operating systems that don't have the security flaws that allow malware to compromise the kernel? or the BIOS.

Not really, no, given that nothing requires that as written. It *might* be a side-effect, or might not, depending on what the vendors implementing this do.

yeah, well, just because the Thought Police have a habit of locking people's heads in rat cages doesn't mean Winston Smith has anything to worry about when they want him to come in for a little chat. it would be wrong to attempt to predict future behaviour from past behaviour. there are two factors that strongly indicate that it will turn out to be as bad (or mostly as bad) as that: 1. the generic malice of corporations towards consumers and governments towards citizens. 2. laziness. it's easier to implement only the parts of the UEFI design that allow restriction by the computer manufacturers (and specific third parties such as Microsoft), without bothering to implement the parts that allow the purchaser to control the equipment they bought and own. both malice AND incompetence. both are pretty powerful inertial forces to overcome.

Also, unrealistic claims (like, oh, that Linux is immune to kernel level compromise, or that it prevents firmware updates) are not super convincing.

Our one item deep pool of evidence suggests that Linux is not *yet* subject to this attack, but as the saying goes, the attack never gets *worse*...

i never said that linux was immune. I said that it doesn't have the security flaws that allow such compromises. what we do have is over 20 years of history indicating that linux is quite safe and, more importantly, that linux devs (and free software devs in general) take security issues seriously. and that when a specific type of flaw is discovered that developers pro-actively look for instances where such exploitable code patterns exist and clean them up. and teach each other "don't do that". i.e. a practice and a culture that is highly resistant to malware. by way of contrast, we have about 10 or perhaps 15 years of history (counting from Win2K, or perhaps NT, the ancestors of current versions of Windows) of continuous and repeated security flaws, and a glaringly obvious indiference to security as anything but an afterthought - it's certainly less important to MS than "backwards compatibility". plus another 15 or 20 years of the same for Microsoft's prior products - MS-DOS, Win3.x, Win95, and Win98.

(IIRC, it was award that you could flash the bios of first; LinuxBIOS certainly have the tools.)

...

wonderful. makes perfect sense.

It is one possible outcome, but I don't think it is entirely likely. More probable, I think, is that many vendors will allow Linux in some way, while the "hardware bundle" system where you get, for example, a desktop with Windows "small business edition" for free will end up mostly locked down.

I suspect that (some/many/most) motherboards purchased separately will probably be fine. As will white-box clone systems as they're built from such off-the-shelf parts. it's brand name systems, made by Dell, HP, Lenovo, and others - and sold through (in .au) Harvey Norman, Myers, and other large department stores that will be Windows-only. amongst many other problems, this will make it impossible to suggest to friends, family, or the public in general that regardless of what OS they use for their day-to-day computer usage, it would be much safer for them to boot to a Linux USB stick or CD ROM to do their internet banking and similar security-sensitive tasks.

Will it be overall worse for Linux? Maybe, but I doubt it will be substantially worse than the current driver problems are. Having a second problem like that sucks,

not having a specific driver for a specific product is very different from not being able to install or run linux at all.

but it is hardly the breathless end-of-the-world you are suggesting.

sorry, you must be confusing me with someone else. craig -- craig sanders <cas@taz.net.au> BOFH excuse #363: Out of cards on drive D:

On Sat, Sep 24, 2011 at 09:59:41AM +1000, James Harper wrote:

...

i never said that linux was immune. I said that it doesn't have the security flaws that allow such compromises.

Yes it does. If you let a user get root/admin on a computer then they can do whatever they want,

yes, and if eat deathcap mushrooms you'll die horribly. don't do that. similarly, don't run untrusted software as root. calling doing stupid things like that a design flaw is like saying it's a design flaw in a gun that if you stick it in your mouth and pull the trigger, you'll almost certainly die. that's not a design flaw, that's an unavoidable ramification of the item functioning properly. the difference between windows and linux in this context is that it's far too easy for malware to get root / admin privs by exploiting one of the many security holes, and (until W7) it was pretty much the default for users to run as admin, or for their "account" (such as it is, MS has seemingly only recently discovered the idea of multiple users and priviledge separation) to have admin privs so everything the user ran automatically had admin privs without even needing to exploit a security hole. the easiness is partly due to software flaws in the various versions of windows and partly due to users doing stupid things....and those stupid things are encouraged by the countless irritating popups saying "are you sure you want to run that?" which desensitise users to security issues and teach them to Just Click Yes every single time. i've been messing around with W7 recently and, while it's vastly superior to previous versions of windows (even to the point that i don't actually hate it :-) it's still bloody annoying. there are constant hassles and obstacles for everything you might want to do, it seems that every program you install or want to run involves some long and tedious digression finding and installing a bunch of other things or creating an account on some service. you can't even play some *single-player* games on it without having to sign up for yet another bloody online service. All this crap trains users to, as i said, Just Click Yes - i.e. "i don't want to have to care about signing up for xbox live (or whatever) - i don't even know or care what it is, i just want to get through this crap ASAP so i can play the game...so click, click, click as quickly as possible". and this is supposed to be easier than apt-get? i don't think so.

and this is the 'flaw' that Microsoft is trying to fix.

lots of people, probably the bulk of our species, are stupid. that's an unfixable flaw. and i doubt very much if Microsoft are 'trying to fix' anything - they've just found a handy excuse to justify attempting to get the same kind of lock-in and control that Apple has over their users.

I think Microsoft's mistake is trying to fix stupidity/gullibility with a patch.

I don't think it's a mistake on Microsoft's part. I think it's a convenient excuse for them to copy Apple's lock-in methods. craig -- craig sanders <cas@taz.net.au> BOFH excuse #157: Incorrect time synchronization

On Sat, Sep 24, 2011 at 12:50:58PM +1000, Jason White wrote:

...

the difference between windows and linux in this context is that it's far too easy for malware to get root / admin privs by exploiting one of the many security holes, and (until W7) it was pretty much the default for users to run as admin, or for their "account" (such as it is, MS has seemingly only recently discovered the idea of multiple users and priviledge separation) to have admin privs so everything the user ran automatically had admin privs without even needing to exploit a security hole.

That's very lax indeed - thank you for educating me on the subject. The

well, even there it's only partly the user's fault. most things required admin privs to either install (understandable) or to run (absolutely unforgivable). this includes apps and games, not just system admin type utilities. even many of Microsoft's own games (Age of Empires, for example) required admin privs to *run* and, of course, other game developers just followed their apallingly bad example....it's easier to just demand full admin privileges for the entire game.

Windows NT kernel was designed by former Vax VMS developers, whom I would have expected to implement privilege separation from the beginning. Apparently, given the above, this wasn't a priority despite the widespread use of networking at the time.

security is always a trade-off against convenience for the user. MS erred way too far on the side of convenience (with a couple of extra helpings of incompetence and stupidity - like apps requiring admin privs)

I think what Craig is describing can be seen as a larger trend to try to design products that are resistant to the ignorance and incompetence of users.

no, that's not what i'm trying to describe. it's slightly related, but the point i'm making here is that the practice and the culture of windows development AND use actively sabotages any effort at having decent security. MS's patronising attitude towards their users certainly doesn't help, but it's not the root cause. craig -- craig sanders <cas@taz.net.au> BOFH excuse #372: Forced to support NT servers; sysadmins quit.

On Sat, 24 Sep 2011 02:03:28 AM Daniel Pittman wrote:

while the "hardware bundle" system where you get, for example, a desktop with Windows "small business edition" for free will end up mostly locked down.

There appears to be no requirement to lock down systems shipped with server licensed versions of MS Windows 8, only client systems.. -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC This email may come with a PGP signature as a file. Do not panic. For more info see: http://en.wikipedia.org/wiki/OpenPGP

On Sun, 25 Sep 2011 06:45:08 PM Jason White wrote:

How does this affect the security argument for signed boot loaders? Surely server systems are just as vulnerable to the types of malware discussed earlier in this thread, although admittedly they are more likely to be competently administered irrespective of operating system.

I guess Microsoft just figured there's no way the server market would kowtow to this sort of demand, whereas the desktop market has no need to care about such a small niche as people who run non-MS OS's..

Obtaining a server and running it as a desktop machine might actually work for me, except for the noise level, which would be entirely unacceptable.

The other alternative is to support businesses that do make & ship desktop PC's with non-MS operating systems, like VG Computing in Melbourne. cheers, Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC This email may come with a PGP signature as a file. Do not panic. For more info see: http://en.wikipedia.org/wiki/OpenPGP