Saturday, October 29th 2011
Windows 8 Secure Boot: Handy Malware Backdoor for Nosy Governments?
We've written before how Microsoft's new secure boot feature in Windows 8 could likely be used to shut out competition and create the ultimate in walled garden consumer lock-ins - something that is very undesirable from a competition, price and consumer choice viewpoint. However, it now appears that governments could lean on Microsoft in order to install secret snooping malware on user's PCs.
Ross Anderson, professor of Security Engineering at the University of Cambridge Computer Laboratory, has written in the Light Blue Touchpaper blog, about this issue. He starts off by explaining how secure boot could limit the purchase Metro apps to only the official Microsoft app store, saying. "Even if users can opt out, most of them won't. That's a lot of firms suddenly finding Steve Ballmer's boot on their jugular." That sounds very well put and really doesn't paint a pretty picture, does it? It's exactly the same tactic as all these firms that require you to opt out of receiving their junk mail, toolbars etc when installing software, knowing full well that the majority won't.
However, this control can turn from monopolistic to sinister, because governments could potentially lean on Microsoft to give them an official key in order to install malware on user's PC's, which could be next to impossible to remove. The particular example he gives is that of Tubitak, the Scientific and Technological Research Council of Turkey, saying that he has removed their key from his web browser, but how would he identify all foreign governments' keys?
Anderson has also written an 8-page paper (PDF) entitled "Can We Fix the Security Economics of Federated Authentication?" which covers this problem in great detail.
The Free Software Foundation has also also started a petition against secure boot, which people are encouraged to sign.
Ross Anderson, professor of Security Engineering at the University of Cambridge Computer Laboratory, has written in the Light Blue Touchpaper blog, about this issue. He starts off by explaining how secure boot could limit the purchase Metro apps to only the official Microsoft app store, saying. "Even if users can opt out, most of them won't. That's a lot of firms suddenly finding Steve Ballmer's boot on their jugular." That sounds very well put and really doesn't paint a pretty picture, does it? It's exactly the same tactic as all these firms that require you to opt out of receiving their junk mail, toolbars etc when installing software, knowing full well that the majority won't.
However, this control can turn from monopolistic to sinister, because governments could potentially lean on Microsoft to give them an official key in order to install malware on user's PC's, which could be next to impossible to remove. The particular example he gives is that of Tubitak, the Scientific and Technological Research Council of Turkey, saying that he has removed their key from his web browser, but how would he identify all foreign governments' keys?
We've also been starting to think about the issues of law enforcement access that arose during the crypto wars and that came to light again with CAs. These issues are even more wicked with trusted boot. If the Turkish government compelled Microsoft to include the Tubitak key in Windows so their intelligence services could do man-in-the-middle attacks on Kurdish MPs' gmail, then I expect they'll also tell Microsoft to issue them a UEFI key to authenticate their keylogger malware. Hey, I removed the Tubitak key from my browser, but how do I identify and block all foreign governments' UEFI keys?Sounds nasty, doesn't it? This isn't something that anyone should want on their computer.
Anderson has also written an 8-page paper (PDF) entitled "Can We Fix the Security Economics of Federated Authentication?" which covers this problem in great detail.
The Free Software Foundation has also also started a petition against secure boot, which people are encouraged to sign.
84 Comments on Windows 8 Secure Boot: Handy Malware Backdoor for Nosy Governments?
back to the topic...
I hope secure boot doesnt gain traction because it never turns out as well for consumers when companies impose restraints to the products that we use. for example: open source development has spread like wild-fire in recent years and has become a boon to innovation as we continue to collaborate- not limit ourselves...
:)
I just love to say the word - Free.
I don't know if I'm a 40 year old hippie, but I'm just loving 'stickin' it to the man' as of late.
Screw Mafiasoft. I can play my Crysis2 in Steam under Ubuntu and I'm happy with it. The last tie to this company is now severed.
Free-dom. Try some...
Best Regards,
Liquid Cool
And OEMs not supporting an off switch for it is mighty handy for Microsoft isn't it? They get that lock-in they so desire and can then claim it wasn't them. This really doesn't take much to see through the smokescreen.
So yeah, you're damn right I'm negative about this technology and I'm going to keep writing news articles about it. Remember, governments and big corporations like nothing better than to restrict and control the population for their own gain and profits. The one thing they want is for developments like this to remain in the dark until it's all ready to go and too late to do anything about it. Therefore, the only way to beat it, or at least hold it back some, is to bring it out into the light and shout about it, so that everyone knows what's going on and the force of public pressure prevents it from happening. It doesn't always work unfortunately, but it's better than just sitting idle and taking whatever crap they spoonfeed you. In all aspects of life, public outcry/pressure does hold restrictive practices back and we'd have a much more autocratic and repressed world without it.
As Thomas Jefferson himself said, "The condition upon which God hath given liberty to man is eternal vigilance". So true, one must never forget it.
Also, the money argument doesn't really make sense when you are basically giving the power to shape the Industry at this point. UEFI is essential at this point moving forward in the industry. PCs are going to have to have UEFI, so Microsoft to say they want it all they want, the UEFI Forum has the power to do whatever they want, and we all just have to sit back and take it.
Do I think they will turn this down? No, I never said they would. They would be stupid to as it addresses security holes that industry leaders have been complaining about in UEFI for a while now. But they aren't just going to pass it because Microsoft says so. Take the tin-foil hat off. I'm guessing your conspiracy doesn't really hold water once you realize the people making the decisions are bigger players than Microsoft. When is the last time you saw Apple just step down and accept what Microsoft wants?:rolleyes:
See the problem seems to be that you haven't done proper research, because I'm guessing if you had you would have realized that the UEFI Forum is loaded with huge players in the industry, and not some small little broke individuals that will bend to Microsoft's will. You also would have realized that IBM and Intel were the big promoter of Secure Boot, not Microsoft. That is fine, but news, presented by a proper news reporter, should be presented without bias. And the reporter should be doing proper research before posting news articles, especially if they are going to be adding their own information to the article, they better make sure the information is actually correct. Calling Secure Boot a Microsoft invention is complete wrong information, and you should be ashamed for even suggesting it in a serious news article. If you are going to report on it, present the correct facts, not just BS that you pulled out of you ass because you think Microsoft is evil and want to bash them.
I'd have to ask qubit, have you written articles for the Daily Mail? The tone very much feels like it, and the articles are far too opinionated to belong as news articles.
Many reasoned arguments have already been posted combating this, but as you love the "big bad company" image so much you ignore those comments.
Besides which, if someone is buying a bog-standard Windows 8 PC from Dell/HP et al, do you really think they're going to want to run Linux? Plus, I somehow doubt that the OS will be effectively locked to the hardware, as it does prevent Microsoft's upgrade path to an extent (have to buy a whole new PC for Windows 9, rather than upgrade).
Also: I thought Apple have beaten them to that already?
Let's see you contribute something useful to TPU instead of whinging in my news threads. :slap:
MS backing the technology does not automatically make this a conspiracy.
Yet again, mountain out of a molehill.
So far, the only thing MS has really done is require that any PC sold with a Designed for Windows 8 Logo have the Secure Boot feature in the UEFI enabled by default, but they don't say it can't be disabled by the end user, that part will be up to the OEMs.
And what's with you idiotically messing up my quotes? :rolleyes: Life getting a little hard, perhaps? ;)
---------------
How about a little less of the personal attacks people, ffs. :rolleyes:
Give me some coherent arguments why you think I'm wrong and you're right and I'll debate it with you.
Recap:
secure boot = UEFI feature
Available for use by ANY OS.
MS being involved =|= automatic conspiracy.
Then capped off with my opinion on the matter:
Mountain out of a molehill.
That is not an attack.
Neither is agreeing with some points another member made, even if they were attacking you. I agreed with the points, which are still valid. I didn't respond or add to any personal attacks.
Yes, it might have been set up by the UEFI Forum, but that doesn't mean it won't get abused to shut out the competition, especially considering the big names that are on it (thanks NT :)). Saying anyone can use it sounds fine in practice, but you know how these things are structured: there will be a big fat payment to make to obtain a signature, shutting out smaller players.
I'm wondering, how will this affect even basic tasks like disc partitioning, adding removing discs etc? I suspect that it will make no difference, but I don't know.
if you don't know about a topic then you shouldn't interject your opinions into a news article or draw conspiratorial conclusions about the issue.
The fact that I don't know about how it will affect disc partitioning doesn't invalidate everything else I've said, either. I have no idea how you reached that conclusion. :confused: Well, they need money from somewhere to stay afloat, so we'll see what happens when it goes live. Perhaps the various companies that form this entity will just pay, but it seems reasonable to me that they would charge companies that use its services, one way or another.
Think about it this way: the initiative claims to be about increasing security, right? Therefore, they need some kind of vetting process to check each application to make sure it's not malware or something else unsavoury. That costs money to do.
Finally, back to the core point of Anderson's blog, that of dodgy governments. We've already seen how the SSL certificate authorities have been corrupted in certain countries (sorry, I don't have a handy link to any article at the moment) to mint a genuine cert for bad websites at the behest of those governments. So, what's to stop those same governments from leaning on the UEFI Forum and getting their dodgy snooping programs on people's computers?
You also assumed that Microsoft was just throwing around their wallet to get their way, again not knowing the fact that the UEFI Forum is comprised of companies as big or bigger than Microsoft. I'm pretty sure the multi-billion dollar companies that make up the UEFI Forum can handle it being a non-profit and front the little bit of money it takes to maintain the standard. A relatively small amount for the Multi-Billion dollar companies that run it.