FSF Petition against Secure Boot

News, happenings
Post Reply
Message
Author
User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

FSF Petition against Secure Boot

#1 Post by James C »

If you disagree with Secure Boot consider signing the petition....

http://www.fsf.org/campaigns/secure-boo ... icted-boot
Will your computer's "Secure Boot" turn out to be "Restricted Boot"?

bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

#2 Post by bark_bark_bark »

that petition is old. Plus Microsoft wouldn't really listen to the minority (and that minority is the Linux User). MS can really do what ever they want as long as they have multiple governments on their side.

EDIT: Also Secure Boot is disable-able
....

User avatar
Amgine
Posts: 231
Joined: Thu 22 Sep 2011, 01:27
Location: Washington State

#3 Post by Amgine »

Plus
There are also a lot of new options, Grub 2 and another called "Shim". I do no think this is a problem anymore.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#4 Post by 01micko »

Microsoft have been very cagey about how they implement "secure boot". If a PC vendor wishes to carry the windows 8 logo then they must implement secure boot. Now, this, as I understand, is firmware that replaces the traditional BIOS, much like macs do it. The problem then becomes different for every different PC


https://gitorious.org/tianocore_uefi_du ... ting_works

It's a complex problem with more than one answer.

PS: I signed, around number 41000
Puppy Linux Blog - contact me for access

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#5 Post by 8-bit »

I also signed that petition.
But what got my attention afterward was an email supposedly from FSF requesting money to support their efforts to fight secure boot.

User avatar
Smithy
Posts: 1151
Joined: Mon 12 Dec 2011, 11:17

#6 Post by Smithy »

From the tone of the website, this secure boot thing seems to be targetted towards females only?

"This could be a feature deserving of the name, as long as the user is able to authorize the programs she wants to use, so she can run free software written and modified by herself or people she trusts".

User avatar
darkcity
Posts: 2534
Joined: Sun 23 May 2010, 19:16
Location: near here
Contact:

#7 Post by darkcity »

Its because there is no gender neutral way to refer to a single person in the English language. This has been covered in another murga topic. You either have to use male or female orientation or the clunky s/he his/her. Sometimes those conscious of the default male orientation use the female one for a change.

starhawk
Posts: 4906
Joined: Mon 22 Nov 2010, 06:04
Location: Everybody knows this is nowhere...

#8 Post by starhawk »

I signed the petition, knowing it won't do anything. Resistance is resistance, however futile.

If this Secure Boot garbage takes over, I'll just cobble computers together with old parts, until they make it illegal to have old parts under the heading of "national security" or "cybersecurity" or some other BS.

Hm. Secure Boot, SB. Bull****, BS.

I think I just noticed something.

Also, isn't it amazing how the human need for safety and one's internal fear mechanisms (rather a linked pair) are so strong that any perceived threat, however real or fake, has to be addressed almost immediately? Combine that with peoples' current DRASTIC lack of understanding about computers and you get a pile of sheep that will follow the fear-mongers wherever they go... just on the off chance that these fear-mongers are right (which they almost never are).

The world is mad.

bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

#9 Post by bark_bark_bark »

Sorry Windows 8 and Windows 8 PCs already has Secure Boot.
....

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#10 Post by greengeek »

The wording in that article says:
When done correctly, "Secure Boot" is designed to protect against malware by preventing computers from loading unauthorized binary programs when booting.
I think an easier way than forcing the user to have a locked up BIOS would be for Microsoft to release their OS on a CD.

That way they could guarantee it would load an "un-tampered" OS into memory.

Of course, the OS code would have to be secure first.... Slight problem for Microsoft.

So by locking down the BIOS what they want to achieve is a secure way to load an insecure operating system. Marvellous. I guess then we will have to tick the box that says "check to allow Microsoft (trusted corporation) to update your secure BIOS every time I connect to the internet"

"Please wait while the computer applies 46 security updates to your BIOS. Do not shut down or power off until all updates are applied..."

Maybe I could support this technology when Microsoft announces that they have issued their last security patch and the OS is now secure.

Not holding my breath.

bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

#11 Post by bark_bark_bark »

Since the BIOS cam up just now in my head, someone told me that their MSI Motherboard has a Web Browser built-in, wow that means trouble.
....

User avatar
Keef
Posts: 987
Joined: Thu 20 Dec 2007, 22:12
Location: Staffordshire

#12 Post by Keef »

Probably referring to Winki
Panic over...

linuxbear
Posts: 620
Joined: Sat 18 Apr 2009, 20:39
Location: Las Vegas, Nevada, USA

#13 Post by linuxbear »

darkcity wrote:Its because there is no gender neutral way to refer to a single person in the English language. This has been covered in another murga topic. You either have to use male or female orientation or the clunky s/he his/her. Sometimes those conscious of the default male orientation use the female one for a change.
if one is careful, they can certainly find a gender neutral method to convey information

linuxbear
Posts: 620
Joined: Sat 18 Apr 2009, 20:39
Location: Las Vegas, Nevada, USA

#14 Post by linuxbear »

starhawk wrote: peoples' current DRASTIC lack of understanding about computers
The world is mad.
They do not want to understand. They want computers to be an appliance. My sister decided not to use dropbox to share family photos because she did not want to take the time to learn how to do it.

starhawk
Posts: 4906
Joined: Mon 22 Nov 2010, 06:04
Location: Everybody knows this is nowhere...

#15 Post by starhawk »

linuxbear wrote:They do not want to understand. They want computers to be an appliance. My sister decided not to use dropbox to share family photos because she did not want to take the time to learn how to do it.
That, to me, is any number of things --
- it is lazy; they are choosing the 'easy' path, rather than the smart path -- it's really not easier, and it fails to enrich the mind in the process.

- it is myopic; they could save a lot of people a lot of trouble if they did learn -- even if they could not do repairs themselves, they'd at least save the techs a lot of trouble doing diagnostics if they knew what they were talking about.

- it is costly; most people don't have a friendly nerd like me -- so they pay others to do what they themselves will not. Yes, it is easier, in the narrow sense that they didn't have to diagnose and fix it themselves -- but is it worth the expense that most people pay at eg Best Buy to get a "quick fix" for their computer? (eg removing a virus by wiping the hard drive and hoping the user has good backups) My answer is "**** NO!"

- it is hypocritical. Why do they expect someone else to do what they will not themselves do? I realize that there's an element of that to everyone (I myself will eat cooked meat, but I am quite squeamish around the raw stuff and would never want to work in a meatpacking plant), but this is a little more extreme to me. Maybe this one's just me. Not sure.

I would have no problems with this attitude to a limited extent -- someone who was content to be able to dust their desktop's innards twice a year (double that if they have pets) and do very simple hardware repairs (eg adding a data-only hard drive or replacing optical drives or RAM). I really don't expect more than that of the average Tom or Jane. But they should know at least that.

Further, I feel that this all is a cultural trend -- we as a culture, if not as collective humanity, want things to be easier than they are. Our idea of "a better world" is still one in which there are servants for everyone. It's just that those servants are technological instead of biological -- and we like to think that we're not creating new moral issues with that idea -- when, in fact, they're flooding in and we're just refusing to deal with them now.

User avatar
Ol'Duffer
Posts: 12
Joined: Tue 28 Dec 2010, 06:42
Location: Tanas by PDX

Computers as appliance

#16 Post by Ol'Duffer »

Yes, many people have a mix of talents that doesn't gel with geekness. So?
They work with a GUI, they use mouse and menus, they avoid digging deeper.
Without them, how many geeks would have a job or useful social role?

But if vendors make small embedded computer modules that cannot be modified or maintained, will enough of these people buy them?
Computers could become a thing of the past, replaced by disposables.
Not cheap, of course. Just not maintainable, and thus disposable.

If we don't educate people, they won't understand - in time.

starhawk
Posts: 4906
Joined: Mon 22 Nov 2010, 06:04
Location: Everybody knows this is nowhere...

#17 Post by starhawk »

Ol'Duffer, to your point... (sorry, this will be a little off the thread topic)...

You got the gears in my head going, and they spun something up. Consider the following scenario...
A community (eg town, city, neighborhood, whatever) government distributes a bunch of computers, one or two to each household. These computers need not be high-power systems -- they need only to operate, and to be fairly inexpensive in the required bulk quantity. Assume that they're all the same (or, at least, similar enough that the differences don't matter).

While these systems do have removable storage, they do not have a hard drive or any sort of OS storage built in. Instead, the household is given a set of USB storage media -- one drive per person over age 6. Each drive (flash or external HDD, doesn't really matter) contains an OS and some base programs. There is plenty of space for user data.

The community in question also maintains a community software repo (this isn't hard -- just servers and a way of checking/approving/adding "clean" software), such that community members are able to download "approved" programs that they might need -- games, productivity software (word proc/spreadsheet/etc.), whatever they might need. While community members can setup and maintain their own repo if they want to (and can fund its construction privately -- the community won't help with this) they are required to note, upon access, that theirs is a private repo and the community government can't help with any problems that come from it.

Free or low-cost classes are provided by the community on how to properly and responsibly use the computers and media provided. People can take the classes if they wish (or not) -- but if they are found to be committing cybercrimes (or at least cybermisbehaving), they must (re-) take the class(es) as part of their punishment. If someone loses their drive, or it is damaged, they can obtain a replacement, but whatever can't be transferred from old to new, is gone. (This also encourages user responsibility.) If someone has a hardware problem, the community government takes care of that.

All of this would be paid for through taxing appropriate to the community -- for a town, there might be a $25-50/year mandatory "technology tax"; for a small neighborhood or subdivision, it comes from your homeowner's association dues.
I'm (for now) calling this concept "Modular UserSpace Computing". MUSC allows the hardware to sort of fade into the background. The community government handles the hardware, and all people have to do is worry about their own data. Probably the best data medium would be a large-capacity flash drive. Mechanical hard drives have a bad habit of dying after a sharp drop of 12-18 inches, however accidental, and proper SSDs are insanely expensive proportionate to capacity. SD cards are nice, but they're tiny and thin -- the easier for your toddler to swallow or stomp on (CRUNCH!), or for you to lose. Obviously, if the drive is wrecked or missing, all the data on it is gone as well. (The community can, as needed, provide a backup service, but this brings other problems with it, for sure!)

I can already see the Reds in my country (nothing to do with Russia, but rather Republicans) starting to get a little red in the face and foamy at the mouth, at the idea of *gasp* community-oriented computing -- they might even want to call it "socialized computing". Difference is, I'd welcome it with open arms, if it was done right. ("Doing it right" is the key to all things!)

Thoughts?

bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

#18 Post by bark_bark_bark »

I think that the government should not handle the hardware in computers.
....

starhawk
Posts: 4906
Joined: Mon 22 Nov 2010, 06:04
Location: Everybody knows this is nowhere...

#19 Post by starhawk »

OK, so they contract out the hardware repair to local companies. No big deal. In fact, this whole operation could be done by a private company, contracted in by the local government or whatever. Who's doing it doesn't really matter -- what matters is doing it right.

The central idea is that the user is responsible only for their data and (if they want to do so) their OS. Whatever's on the USB media is theirs. Whatever isn't... isn't. Since nobody's born with the knowledge of how to compute responsibly, there are classes for that -- classes that anyone can attend. Making it mandatory for everyone is unnecessary. Giving people the option -- and then making it a little easier if they take the classes -- makes things go down better ;)

The only real requirements for the hardware are --
(1) it is compatible with the community-sponsored OS and software
(2) it functions adequately to allow a user to accomplish their tasks at a reasonable rate -- this does not mean "latest and greatest" but we're not talking mid-90s tech here either.

Probably the best setup would be a single-board computer with an ARM SoC and a gig of RAM -- and plenty of USB ports (4-6). LCDs around 15-17" diagonal are fairly mainstream -- and therefore cheap. Have the thing's BIOS (or UEFI or whatever) set so that it can boot from any USB port (the physical connectors do wear out after a while, so redundancy is important here), and you're good to go.

If you want a modular setup, put the SoC in a ZIF socket, like PC CPUs are, the RAM on a SODIMM, and the PSU on a separate PCB. That's about as modular as it's going to get. Cooling on this sort of setup would be simple -- a laptop-style setup would be fine, where you have the chip clamped to a bit of aluminum or copper with a heatpipe in it. Heatpipe goes to a not-very-large heatsink, and a fan blows air through that. Since I've yet to hear of a 20w ARM chip (RasPi is a ~1w chip IIRC) this cooling method is probably slightly overkill.

JustGreg
Posts: 782
Joined: Tue 24 May 2005, 10:55
Location: Connecticut USA

#20 Post by JustGreg »

I have been investigating the UEFI BIOS changes. Like any technology, it will be used and people will manipulate it for their own purposes. As far as locking out Linux, the Fatdog64 UEFI test distribution shows there are ways around it. I manage to make a UEFI bootable flash device. It allowed Fatdog64 to be become a tool in understanding the changes associated with the UEFI BIOS. Better tools will become available to allow the more inquisitive people to modify their computes as they want them. The genie is out of the bottle and will both help and hinder,

The "secure" portion of the UEFI BIOS uses the pubic shared key (PSK) system to determine if the bootloader being used is signed and has it been modified. The PSK system relies on a private key and public key to sign or confirm messages have not been changed. With Fatdog64, Jamesbond, signed and provided a certificate (public key) that registers the Grub2 bootloader as being acceptable. The UEFI BIOS requires a manual (man in the loop) process to register the new key.

However, if one checks a UEFI BIOS setup menu, one finds "gray out" entries for platform keys and company keys. These are the keys that were used to initialize the BIOS, mostly likely without needing a human in the loop. Most computers are assembled in foreign countries and imported. Do you really think the governments of the countries where the computers are assembled do not have copies of both the platform and company keys (public and private) used for the initial setup of the UEFI BIOS? The UEFI BIOS computers are not secure at the government level. Just think of the economic chaos a hostile nation could cause if it reset the keys of the UEFI computers to new ones, which do not recognize the existing operating systems. Especially, for example Windows 8, which does not provide the end user with a key management tool. FatDog64 does have a tool,so one could re-enter the key and start using it again.

Now, imagine if you are a professional data thief, but, you have a brother-in-law or have made loans to an employee at the factory where the computer assembly takes place. Do you think that he could not get the same keys to insert some new code into computers to capture information?

I do not think UEFI BIOS is sercure. It does help to solve some problems. But, it runs into JustGreg's dictum, derived from Murphy's Law: "Every new solution brings a new set of problems" :lol:
Enjoy life, Just Greg
Live Well, Laugh Often, Love Much

Post Reply