Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers

Discuss

136 Responses to “Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers”

  1. user1234567 says:

    As someone who makes technology choices for my company, any device we purchase that comes with secure boot enabled by default will be immediately returned as defective.

    • jkonrath says:

      Be prepared to do a lot of returns after this fall or so, because any Windows certified PC will be required to have the UEFI turned on by default.

    • Forkboy says:

       God forbid anyone installing an OS should be asked “complex and intimidating” questions. People who get intimidated by questions should keep their grubby paws off of the OS and get a small child to help them with the install.

      • digi_owl says:

        Except that at least two OSs out there never needs to be installed by their users (unless something goes badly wrong), as they can get computers with them preinstalled.

        • Forkboy says:

          There was a time when you could easily get a computer with Linux pre-installed: at the start of the netbook craze. Turns out most people don’t really want them. Those who actually know what Linux is and why they would want such a thing are smart enough to install it themselves or get someone qualified to do it for them.

          • warcaster says:

            Yeah, I don’t think you got what UEFI means. It doesn’t matter if you are “qualified” or not. You won’t be able to install it until the OS maker pays Microsoft for the key. Get it?

          • 5alo says:

            It could be claimed that netbooks vanished when they became slightly bigger and just turned into normal laptops.

            Meanwhile the heirs of netbooks are the tablets, and they often run iOS or some version of Android.

          • Eric Rucker says:

            warcaster: I don’t think you know what UEFI means, either.

            UEFI is just firmware. Nothing that restricts you in the base version.

            UEFI Secure Boot, however, is what you’re talking about.

            UEFI Secure Boot on x86 will be required to have a switch to disable it. So, you can find that switch, and then you’re back to today.

            UEFI Secure Boot on ARM, however, is where the problem is. That said, the ARM devices will most likely flop hard, so just buy an Android tablet that has an unlocked bootloader.

          • digi_owl says:

            The whole netbook thing was weird. They started out as very special devices, small screens, minimal sized keyboards, small SSD and Linux. The nearest right now are Asus Transformers (funny how Asus started the whole Netbook thing with their EEEPC 701) running Android, and Google Chromebooks.

            But HP and Dell sat out the party while ASUS, Acer and MSI duked it out in early period. The MSI model was a messy entry tho, as their SUSE bundle was missing vital drivers and was used as a basis for rebrands sold via big name chains.

            Only with MS putting XP on life support and creating very specific hardware requirements (that made netbooks in general bland) did HP and Dell enter the fray. And when they did, we got things like Dell putting a mail in rebate on the high spec Windows model that made it no more expensive than the Linux model (the lowest spec-ed variant of the range).

            In the end i do not know if people cared either way, they just went with what was familiar and on the shelves. and the shops were happy to push them as by now they had become so similar to laptops (Windows basically forced the use of HDDs as it could not be made to fit on the SSDs used in the early models) that they could push the old boxed standbys like Norton security.

            Basically netbooks went from a kind of Linux based web/net terminal to what amounted to a underpowered ultra-portable laptop.

      • Tim Lewis says:

        The typical setup options will be as complex as “Secure Boot: Enable/Disable” If disabled, then the signing isn’t enforced.

      • dragonfrog says:

        You FOSS techno-elitists still exist?  I thought Ubuntu pretty much wiped y’all out around 2005.

      • John Ohno says:

         There is a gradient of difficulty here. While performing a working linux install used to be somewhere around the same difficulty level as getting a working install of windows, this kind of thing should push it down to somewhere between getting a working Plan9 install and getting a working LFS install. This is not to say it brings it down to the difficulty level of writing your own posix-compliant OS (though that’s nowhere near the OS installation difficulty level upper asymptote), but it certainly takes linux away from the “where’s the power button on this thing”/”how do I internet” crowd, whereas previously it was entirely viable.

    • dainel says:

       This secure boot is supposed to stop boot viruses right? Your office will be more secure. You wouldn’t get boot viruses anymore.

      My question is, what about the other kinds of viruses?

      • Kermit D'Froge says:

        It’s not supposed to stop all viruses, it is supposed to stop boot sector viruses, which are the single most common way to bypass all of Windows x64′s security features. Mebroot, Rustock, TDSS, etc. All major families of malware which were the most sophisticated in the wild before stuxnet was on the scene. All can *not* be locked out in the consumer context without secure boot. They can be *detected*, but not locked out, in corporate contexts if you use a TPM, but of course you’re afeard of the magic TPM voodoo box which is going to undermine your liberty so that’s right out. They can and have been detected for home users with MS’s free anti-virus, but that’s signature based and therefore a losing game when compared to secure boot. Oh and it’s MS’s free AV so it’s probably evil too right?

        • John Ohno says:

           Windows x64 has security features? Are they actually starting to become sensible? I have a distrust for the security-consciousness of any software franchise that refused to use proper memory protection in consumer units until 2001.

    • Same as above, we will only purchase Linux Certified Hardware. Once our capability to manufacture is up, we will avoid this uncompetative and monopolistic feautre.

      • Joe_HTH says:

         LOL! What the hell are you smoking? There is no Linux Certified Hardware. Truth be told, UEFI is not owned, controlled, or created by Microsoft. The OEMs control that. If you don’t want a UEFI Windows 8 PC, just order one without the Microsoft signature.

  2. jgs says:

    “When you multiply $99 by all the different versions and flavors of free/open operating systems, it adds up to a substantial revenue stream for Microsoft.”

    What, seriously? Let’s see. Microsoft’s 2011 revenue was $70 billion. Let’s arbitrarily say that in order to consider a revenue stream “substantial” it must amount to 1/100 of 1% of a company’s overall revenue. That works out to $7 million. At $100 per license, that works out to 70,000 “different versions and flavors” that would all have to be paying toll.

    I’m totally down with hating on UEFI, but “substantial revenue stream” doesn’t cut it. It’s sloppy and undermines the rest of the argument by its presence.

    • Cory Doctorow says:

       You’re right. I’ve updated the post. Thanks.

      • jacobian says:

        It does open the door to a potentially substantial revenue stream however.   What MS has to manage is the precedent of getting everyone to pay them a tax.  Once it’s in place, they can raise it as they like.

        • digi_owl says:

          Kinda like how sneaky working on contracts in the past resulted in MS being payed by PC shipped, independent of the OS actually on the HDD?

        • Andy Reilly says:

          Also, it doesn’t have to be a revenue stream. It is better as a deterrent to other operating systems being installed. Maybe their intent is not to get a ‘tax’ from all these other OS’s, but to squeeze them back into obscurity. 

      • Tim Lewis says:

        Cory — Are you sure you have the $$ stuff correct? As I understand it, the $99 goes to Verisign to get an ID. The per-signing cost from the Microsoft portal is %0. It looks like it goes to MS because of the fact that you can access it from the MS portal, but read the fine print: “To receive the VeriSign promotional pricing, complete all of required fields, and then click Continue. The type of code signing certificate (Organization or Individual) to be issued will depend on the option that you select: Corporation or Individual.” That certificate is used to sign your code submissions. If you go to the Verisign website you will see the same set of options available.

        • Kermit D'Froge says:

          Tim is correct. Cory didn’t RTFA since it says right in the article that the money goes to verisign. If Corey RTFA he would also realize that this wasn’t about some vendors conspiring against Red Hat. This is about Red Hat *making the choice* that they didn’t want to try to work with vendors to include their keys, since they didn’t want to be in a privileged position over other Linuxes. This was about Red Hat *making the choice* to not ask users to disable secure boot. Secure boot is a demonstrably good thing in response to demonstrably difficult malware problem (which I happen to be a researcher on). We don’t need more FUD, but I’ve come to expect it from Cory (I just read him still to keep abreast of the misinformation being spread.) I’m all for open access and open systems, but not when that means we can’t shut out malware even if we want to.

    • Joe_HTH says:

       Anyone who hates on UEFI is an idiot, or an ignorant Microsoft hater who wrongfully thinks Microsoft owns or controls UEFI.

    • John Ohno says:

       There are indeed more than seventy thousand linux distros. Most of their maintainers are not going to be willing to pay microsoft ninety nine dollars for anything.

  3. rogerwilco1 says:

    $99 for each different revision never adds up to a “substantial revenue stream” for Microsoft. I would even wager that the cost of development of the site and the manpower to run the program/verify the accounts is never returned by the revenue of the program.
    This does not make the UEFI situation right, but do not spin it like a revenue stream that has 60 billion dollars in yearly revenue.

  4. EH says:

    I’m glad I know how to build machines from scratch so I can avoid this bullshit.

    • sigdrifa says:

      Sounds like you’re not in the market for a laptop…

    • lesbianjesus says:

      I don’t see why they wouldn’t embed it in the motherboard. There would be a huge demand from custom build vendors that would drive it. I wouldn’t expect this to stay restricted to DELL/HP, I’ll bet it will be on the boards/ bios soon enough.

  5. saurabh says:

    Why are the vendors going along with this? What do they have to gain, here? If they’re just doing what Microsoft tells them to do because they have to, isn’t that, like, illegal?

    • digi_owl says:

      Well they can opt to not sell computers with Windows preinstalled. Should make them a lot of customers…

      Never mind that MS has long been providing some pretty hefty (tho NDAed) volume discounts for big names like Dell, HP and Acer. If MS was to say they can’t have that discount any longer, their relative product price would jump accordingly (or the companies would have to eat the cost, cutting into their already thin margins).

    • Plus vendors like that windows certification… wonder if it will be required for mobos to be branded as Windows-ready.

  6. Jeff Chapman says:

    Microsoft lost an antitrust suit when it tried to bundle IE with Windows.  Now they are going to bundle Windows with hardware?  Seriously?

    • Kimmo says:

      Yeah, what the fuck?

      How isn’t this crap completely illegal?

      • yadayada says:

         This has the makings of a new lawsuit. FSF, are you listening? ‘Cause Fedora ain’t.

      • Kermit D'Froge says:

        It’s not illegal because it’s a completely inaccurate appraisal of the situation. Go RTFA and come back and describe exactly what you think is illegal. Because it’s not illegal for someone to say “If you want to sell my software, you need to turn on the security so that my software can’t be completely owned by malware from before my software even boots.” It’s not illegal because anyone and everyone can just turn off the security and install whatever they want. But yeah, you’re probably right. “ZOMG MS is abusing its monopoly to make it so that people who sell their software have to turn on security. Do no evil!”

        • Antinous / Moderator says:

          Lighten up, Francis.

        • Kimmo says:

          Yeah well, after looking into it a bit more, it doesn’t seem like such a big deal.

          My WTF was in reaction to the sensationalised and highly inaccurate reportage above; I’d assumed we could rely on a higher standard of journalism from BB than that.

    • Itsumishi says:

      The vast majority of computers have an OS bundled. Bundling is not the issue here.

      It’s the not being allowed to install something else that’s the issue.

      • Joe_HTH says:

         What are you talking about? You can install whatever you want by turning off the security. Besides, if you don’t want a Windows PC, why they hell would you be upset at this? If you wanted to install something other than Windows, don’t buy a Windows PC.

  7. Guest says:

    This question is so obvious to me, I’m surprised other people aren’t harping on it:  Isn’t this a clear abuse of Microsoft’s monopoly power?  I.e., an antitrust lawsuit just begging to be filed?

    • Ramone says:

      But private enterprise works best when it’s self-policing!

    • Tim Lewis says:

      Let’s be clear here. An OEM can install any number of certificates in the firmware at the time when the machine is built and subsequently when installing an OS. And the number of certificates can be updated later. The problem Fedora has is that they don’t have the relationship with the vendors to influence them to carry their key also. If they did, Fedora would be just as “in” as Microsoft. So rather than try to fight that fight, Fedora just signs their boot loader with the MS cert. They pay $0 to sign each boot loader from now until MS changes their key (and MS wants their boot loaders to work on older machines also).

    • neroden says:

       Yes, this is a clear abuse of monopoly power.  If the FTC were functional this would not be allowed.  Someone should contact the EU competition commission.

  8. ryan873 says:

    I remember similar alarm being expressed during the advent of Apple’s iOS devices. And during the proliferation of DRM technologies. And, before that, when telephones and picture radios invaded our living rooms. And yet, somehow, the earth continues to revolve, unabated. I think this may also turn out to be a non-issue.

    • Kimmo says:

      Pff, vigilance fail.

      Faith in some sort of status quo regarding our ability to control our own computers (which are nothing like ‘picture radios’ at all in that sense) is severely misplaced.

      What law of nature do you imagine exists to prevent corporate scumbags killing the general-purpose computer? They’d be all too happy to provide nothing but locked-down devices tailored to rape us all.

      The only thing standing in the way of this madness is the highly endangered principle of collectivism.

    • lesbianjesus says:

       Because the people who use open source or write open source just ignore Apples tiny piece of the pie.

    • saurabh says:

       It depends what you mean by “non-issue”. If you’re talking about it affecting the revolution of the earth, then, yes, I agree. It is always possible to ignore any amount of pain that you encounter if that is your standard. Many people on this planet make their living picking through trash for saleable scraps. Somehow, the earth continues to revolve.

  9. How long until Microsoft’s private keys are cracked/leaked?

  10. rdbms says:

    This has been around for a while now in the server market….

    HP server hardware (G7 & G8 and possibly G6) will not allow you to install Windows 2003 server below 2003R2

  11. simonbarsinister says:

     Hey Ayn, your Medicaid check is here!

    • simonbarsinister says:

       Damn, that doesn’t make as much sense when Boing Boing screws up the ‘reply’ and drops it at the bottom of the page.

      • Kimmo says:

        To be fair, it’s a Discus screw-up.

        Hasn’t happened to me yet… but I got sick of all the extra line breaks when quoting someone (blockquote is the tag, folks), and realised the fix is to paste into and copy from Notepad or some such.

        Actually, you could use that tag to insert the comment you’re replying to in your post with an edit.

  12. I didn’t make this clear originally, so I appreciate how this could be misconstrued, but the $99 goes to Verisign rather than Microsoft. The process actually costs more than that with Microsoft subsidising the difference, so for now at least the only kind of revenue stream it’ll be is one leading away from Microsoft. 

  13. Forkboy says:

    After reading the hyperbole I guess the meat of the story is that you will only be able to run Windows RT on “Microsoft-certified ARM-based computers” aka the new Windows 8 tablets. So what ? There’s no shortage of actual full fledged ARM boards out there to run Linux and frankly these tablets aren’t meant to be multi-purpose computers, they’re meant to be just Windows tablets. It’s not like MS is going to be selling a lot of these anyway.

  14. Taniwha says:

    surely we only have to get someone to sign uboot once and we’re done …….

  15. ponzicar says:

    The relative freedom we’ve all enjoyed with our computers and computer using electronics was an aberration that only existed because the technology wasn’t sophisticated enough or popular enough for the big companies to be able to easily keep their customers on a leash. Now that they are able to, I suspect things like this will be very common in the near future.

    • Jens Alfke says:

      Seriously? Computers weren’t “popular enough” until now? That may have been true in the 1980s, but not for a long time. You’re positing a conspiracy theory that doesn’t make any sense.

      In any case, read Weintraub’s comment below. This whole post is alarmist as the problem only applies to a small subset of ARM-based PCs that don’t exist yet.

      • ponzicar says:

        I’m talking about how, since their average customer is no longer the technically minded geek who enjoys poking, prodding, and playing with every feature of these devices, the companies who make them have slowly started to realize that they can get away with locking things down. Plus the ubiquity of devices with a constant connection to the internet means that they retain control of your property and can disable or change things at will through mandatory patches.

        • “since their average customer is no longer the technically minded geek who enjoys poking, prodding, and playing with every feature of these devices”

          Uhm, those geeks haven’t been the “average customer” since at least the mid 80s. The C64 alone sold over 20 million units, and most of them in (western) Europe. There weren’t that many geeks at the time.

  16. polossatik says:

    This “any Windows certified PC will be required to have the UEFI turned on by default.” is about the little “designed for – insert current windows version” stickers they stick on pc’s/laptops, no ?

    no, if UEFI turned off by default the brand cannot add this little sticker on the pc?

    that’s it?

    So what is then stopping dell/lenovo/etc of offering on version with the sticker and one (cheaper – without windoz tax- maybe linux pre-installed?) version of the same hardware?

    All it will result in for M$ is people will buy the cheaper one and ask the family guru to plunge a illegal windows version on it (unless they are happy with Linux or so )?

    • Graeme Russ says:

      You make two assumptions here:

      1) The average PC user knows anything about any OS other than Windows (hence ‘Monopoly’)
      2) Distribution and popularity of illegal copies is extremely high

      The big problem what happens if the whole EUFI/Win8/SecureBoot scenario is kept in play for long enough (say a couple of years)…

      Most current users of Linux were Windows users before they ‘found’ Linux. Most Linux users were introduced by a friend, family, colleague handing them a USB/CD and saying ‘hey, try this – if all you do is email and browse the web this will be a lot faster and you won’t get all those nasty viruses’. Microsoft wants to block this ‘infection’ of their user pool. With SecureBoot, if you are given a Linux USB/CD and try to boot it, the PC will flash up a big red warning screen – Linux will no longer ‘Just Work’ and it’s ability to present itself as an easy to use OS will be lost.

      So in two years time, even if SecureBoot goes away (because it wont’t do what Microsoft is pretending is the reason for it’s use), Linux will be set back 10 years. If you give a Linux USB/CD to a friend and say ‘here, try Linux’ they will say ‘Oh, I’ve had so many people tell me it’s a waste of time and that it won’t run, etc, etc.)

      • Renifer says:

        This is the best summary and explanation of this draconian firmware that I’ve seen here.  The purpose is to slow and halt new installations of Linux by making it harder and scarier.

      • toyg says:

        Yes, because Linux on the desktop is *such* a threat to Microsoft! Look at the enormous market gains in the last 10 years… er.

        In the real world, what started as just another anti-piracy and anti-virus feature (Secure Boot) was then morphed by Ballmer’s gang into a another bout of Apple wannabe-ism (“our ARM tablets will be locked down like *their* tablets, because *that*’s how they make so much money!”). Effects on the Linux world are just collateral damage, albeit certainly not unwelcome. 

        As a Linux user, I’m not scared by UEFI. General-purpose devices (laptops, desktops etc) will have the usual switch in boot menu (and whoever says that accessing the boot menu is technically hardcore is seriously misguided — even people in their fifties by now know what it is and how to access it). 

        Tablets will be locked down only because Apple taught us it’s how it should be, by Jobs!, and MS execs are so clueless that they’ll do whatever they can to mimic that. So you wanna blame somebody? Blame Apple, blame Steve.

  17. I’m not sure where to begin. Calling “$99 per OS a significant revenue stream for Microsoft”, or even calling it a revenue stream. The money goes to the root certificate providers (in Fedora’s case, Verisign).

    Standard desktop PCs running the x86 chipset are required to have the ability to turn off the secure boot feature, and have the ability to accept other signatures. Fedora did what they did because it was the easiest way to ensure that all PCs will boot Fedora without having to do a thing. Most commercial Linux distributors have already done this. Other Linux distress will require you to go into the Firmware and either turn off the SecureBoot or install generated boot keys. If you know enough to install a roll your own distro, you can do this.

    ARM is another story all together. ARM PCs with Windows RT on them will have secure boot turned on with no way to turn it off. Considering the market share of Windows 7 Phone, I can’t see this being a major issue. You can get quite a few ARM based computers with no locked down boot loader, or select from several Android computers that also have unlocked boot loaders, or let you unlock the boot loader.

    Why is this going on? Because malware is getting more and more clever. Windows 8 will sign almost all major parts of the OS including all libraries. It will become almost impossible for malware to install itself on Windows.

    That is, unless it can get into the boot loader and turn off Windows checking for digital signing on its libraries and executables. That’s why the boot loader is being signed.

    Yes, for those who like to hack, it does make things harder. However, the vast majority of computer users aren’t hackers. You can call them all sorts of unpleasant names, but they too buy computers and want to be able to use them without worry. I too am tired of the constant battle to secure my computer, and I’m pretty technical.

    So, if you want to roll your own OS, buy any x86 PC and turn off the secure boot. If you want a ARM PC, buy an Android model which will probably outsell Windows RT computers for the foreseeable future. (I don’t have much hope for Windows RT — not when every time you browse the Web, you go back to the old 1995 inspired Windows desktop.)

    For more information take a look at Ars Technica’s excellent article on the matter: http://arstechnica.com/information-technology/2012/01/windows-8s-locked-bootloaders-much-ado-about-nothing-or-the-end-of-the-world-as-we-know-it/

    • Graeme Russ says:

      “Why is this going on? Because malware is getting more and more clever. Windows 8 will sign almost all major parts of the OS including all libraries. It will become almost impossible for malware to install itself on Windows.”

      HAHAHAHAHAHA – Wrong!

      So there will be no need for anti-virus software in Win8?

      So in 5 years, all the anti-virus vendors will be out of business?

      Anyone remember what happened to the ‘hack-proof’ Playstation 3?

      I give it 6-months tops before a good Win8 virus goes wild.

      • neroden says:

         Windows IS malware.  Signing with keys from an incompetent and untrusted source, such as Microsoft, doesn’t provide any protection against malware whatsoever.

    • Simon Waters says:

      “Other Linux distress will require you to go into the Firmware and either turn off the SecureBoot or install generated boot keys. If you know enough to install a roll your own distro, you can do this.”

      I had a call from a friend about a week after he installed GNU/Linux asking if it was case sensitive. It takes less knowledge to install GNU/Linux than Windows, and this is an extra step for some distributions. I’m guessing it may also make dual boot operation complicated, which is the usual stepping stone.

      I agree it will probably become a “non-issue” for the big distros, but it may discourage folks from fiddling and experimenting, which is a shame as boot is one area where more progress should be made because frankly it is a pathetic experience in all major general purposes operating systems to sit watch the Bios do something daft with bespoke options and key sequences, then have a boot loader do something, then have the operating system try and detect everything the BIOS has found and look around for a load of hardware that has never been plugged in…

  18. Todd Meister says:

    Isn’t the “finicky and highly technical override process” going into the BIOS and deselecting an option? I’m pretty sure that’s what I read – that it’s a CMOS option. If you aren’t capable of doing that (and I’d guess around 99% of computer users aren’t), then maybe it’s best you let Microsoft decide what programs you can run.

    I’m not at all a fan of Microsoft, and I do worry that this is a slippery slope we’re on, but as long as you can change a BIOS setting to fix the problem, I don’t see a problem.

    • Changing bios settings is not hard, your computer tells you what key to press to get to the settings, and then, at least in intel bios, you get a description of what each setting does. In addition to that, I’ve even seen a bios that was mouse driven, no kidding. And on top of all that, if an inexperienced user is going to try this, they’ll be following instructions put together by people who do know what they’re doing.

  19. tony baldwin says:

    Where are the anti-trust lawyers!  This is an outrage!

    • Jeremy says:

      Why? I am a lawyer and don’t really see much of a problem.

      People need to think rather than react. None of this stuff applies in any way – even to ARM-based products – unless you want to sell a computer with a “Designed for Windows 8″ sticker. There will still be zillions of computers in circulation that don’t have UEFI so can’t do secure boot even if they wanted to and I’m sure that if they are capable of running Windows Vista or Windows 7 they are almost certainly going to run Windows 8.

      There is potentially a problem if ZYX Corp decides to make a ARM-based device and only sell it with a “Designed for Windows 8″ sticker. They won’t run anything apart from Windows 8 but that may be appropriate for their market. Not many people complain that you can’t install Linux (or anything else for that matter) on an iPad.

      I’m sure that any manufacturer who sees a market for ARM-based products not running Windows 8 will ship a version that will boot other software and which does not come with the magic “Designed for Windows 8″ sticker.

  20. Jens Alfke says:

    “For example, I have installed Ubuntu on a variety of machines by just sticking in a USB stick and turning them on”

    I’m not so sure that’s an unqualified positive feature. I mean, s/Ubuntu/malware/ and read it again.

  21. Zac Carrell says:

    Microsoft just took a turn for the worse. Again.

  22. HubrisSonic says:

    UEFI is actually a useful thing.

  23. Graeme Russ says:

    I just realised something…

    Kaspersky have a rescue disk to rescue Windows PC which uses Linux. So, if you shiny Win8 PC does get infected, your kinda naffed.

    Don’t be fooled into thinking the ‘secure boot’ is going to, in any way shape or form, protect you from viruses/malware. Everyone sipping from that coolaide can is going to feel rather silly in a few months when the first Win8 virus goes wild

    • Simon Waters says:

      I don’t think Microsoft is claiming this will stop viruses, indeed their other antivirus stuff in Windows 8 suggests they don’t think so either, this is more about preventing malware loading too early in the boot process. e.g. Before Microsoft Software.  Thus it should allow Microsoft to start their own tools and anti-malware efforts before other software. In theory this should make the system recoverable – think safe mode on steroids – where you can be reasonably sure if you pick “safe mode” that the system is behaving correctly (of course if the virus/malware modifies any of the files needed for booting I guess the system won’t boot till you stick in a certified recovery disk or some such.

      I don’t think this is a good approach, I’ve rescued too many Windows boxes by booting from cheap and tacky 3rd party rescue disks that book various minor Linux distros, not least some of the old DELL CDs and Floppies for rescuing were like this. They’ll presumably be usable if you flick a switch in the BIOS but we all know how easy and reliable BIOS software has been to use over the years.

  24. SoItBegins says:

    Give me a hammer.

  25. pjcamp says:

    Build your own.

    Buy a bunch of parts, plug them into each other the only way they fit, and do whatever the hell you want.

    Bite my ass, Dell! I haven’t bought a preassembled computer in 25 years.

    • Got any links for DIY laptops? because if you do, I want them.

      • Eric Rucker says:

        You can usually get “barebones” Clevo machines that have no RAM or HDD, IIRC. Beyond that, no DIY that I know of.

      • pjcamp says:

        I was going to mention what Eric said but he beat me to it. No OS or CPU either. It isn’t quite DIY but it is sans OS and you put what you want on it. There’s another possibility as well — persistent rumors in the past two weeks that Office is being prepared for Android. I was a little surprised by that — why wouldn’t they tie it to Windows 8? But it makes a certain amount of sense. Office has always made more money than Windows. Making sure everyone always uses Office is why it has always existed on Macs, even when they were a negligible share of the market, as well as a large part of the reason why Linux won’t take off. So it does make a certain amount of business sense. If it does come to pass, forget the whole idea of a laptop. Buy an Asus transformer and join the open source world.

  26. reneemjones says:

    This is criminal behavior on the part of Microsoft and they and their co-conspirators at the hardware companies all need to go to jail!

  27. Rob Knop says:

     It’s still a monopolistic practice.  They *can* do it, but it’s the sort of thing that ought to get them seriously slapped if somebody tries it out in court.

    Of course, it’s gonna take somebody willing to try it, and by the time the court actually does something about it, the world will have moved on and it will be absolutely no more meaningful than the antitrust wristslap that Microsoft got over IE bundling.  (Does anybody remember that any more?)

  28. Wouldn’t it be great if car manufacturers and oil companies got together.  You buy a ford and can only fuel up at ESSO stations.  Esso charges 10.00 gallon, too bad, nothing else will work…..

  29. srk says:

    The article and comments keep criticizing UEFI. UEFI is not the same thing as secure boot. UEFI is a firmware that is meant to be a modern replacement for PC BIOS/OFW/etc. Secure boot is an extension that can be added to implementations of UEFI. Most implementations of UEFI in existence today do not include “secure boot”. There are many implementations of “secure boot” systems that don’t use UEFI.

    A “secure boot” system could be done regardless of the underlying BIOS/firmware in use and it’s kind of unfair to UEFI to blame it for all of this.

  30. Tim Smith says:

    I suspect that the reason Microsoft REQUIRES that the user be able to disable secure boot or install their own keys on x86, but FORBIDS it for ARM has to do with device subsidies.

    For ARM tablets and phones, iOS and Android dominate the market. A fairly standard strategy when entering a market that is dominated like that is to offer subsidies on hardware running your software. I suspect that Microsoft will do this–you’ll be able to buy a Windows 8 tablet for significantly less than you will be able to buy an Android tablet with near identical hardware.

    The lock down is the price you pay for that discount, as (quite reasonably) Microsoft has no interest in subsidizing people who want to buy Android tablets. If you don’t want the lock down, buy the tablet that comes with Android instead of the one that comes with Windows.

  31. Andrew Kane says:

    Yet another reason to support the Coreboot project, particularly for those of us involved in FreeGeeks or other recycling / refurbishing organizations.

    http://www.coreboot.org/Welcome_to_coreboot
    http://www.freegeek.org/

  32. Andrew Singleton says:

    Google did something like this with their chromebooks.

    Big difference here is they also included ways you could disable secure boot. So far I don’t know the process that will be needed to disable secure boot on a Windows 8 box.

  33. That_Anonymous_Coward says:

    I’m pretty sure when the whole secure boot thing came up I raised questions about what MS would do next… and people told me they would do no such thing, people would be up in arms…
    It seems that MS got exactly what they wanted, forced adoption of their system.
    People wanting to try other OS’s will find themselves screwed, because this will not be a simple little switch in the bios.  If you can change it in the bios so can the virii writers, we can’t let consumers face these horrors!!!
    I wonder how this will play out for those people who build their own systems when confronted with locked systems that require way to many hoops to get past.

  34. Richard Fletcher says:

    Surely there is a technical fix that means you can have distroX pay the $99 and then all distroX does is replace itself with any of the other linux distributions? I mean, what exactly is being prevented here? Is it just writing to the MBR, are they just having to sign grub? If it’s everything in /boot we may have an issue, as we would presumably require microsoft to sign off every fix required to the linux kernal. They wouldn’t want to be doing that surely?

    • neroden says:

      With crap like this going on, I may have to get my friends to finish their work on the “quantum-computing” hardware which would break every one-way cipher.  It has its downside, but it clearly has its upside too.

  35. I think that the Open Source community should make a fist towards de OEM’s and enforce to be included on the hardware level! This seems to be another anti trust case looming… 

  36. edgarhjelte says:

    How do I know if a new computer has this crap or not?

  37. I wonder how Microsoft would respond if Linux heavyweights got together to partner with one or more hardware manufacturers to produce hardware that could only run Linux based operating systems.

  38. paul sutton says:

    I have contacted my Local MP, and included this page as a in my e-mail (well a link to it)  i suggest others do the same. 

  39. Remdot C says:

    The only thing that will happen is that someone will sue, while others will simply use brand X hardware as it will run anything they want. Then the vendor will dump microsoft, or provide a patch to enable / disable os installs at the bios level.  Plus how long will it be before key cipher X is in the wild and the open source community just all mysteriously feigns being Fedora.

  40. Jim Grinsfelder says:

    DLL Injection and API hooking are still going to work on any and all system API’s, so malware is still going to be a problem.

  41. LBalsam says:

    Is Microsoft so afraid that Windows 8 will be a disaster? The open hostility towards Metro was brought home to me at a recent IT event promoting Windows 8.

    With all I have read and heard lately educated customers will most likely avoid Win 8 at first. This will be a great way to force some customers to use the OS.

    I wonder if older versions of Windows will be certified. Will we or the vendors have the option to install older versions?

  42. Stephen Bungay says:

    I can trust Microsoft to try to screw me, and that is ALL I can trust them to do. The hardware manufacturers are wimps, especially when they hold the cards. Oh, and the new Windows 8 license has the end user unable to join in any class action suits against Microsoft, I guess they forsee lots of potential for that kind of thing given that they are the ones behind UEFI.

  43. howaboutthisdangit says:

    Might as well call this lockdown the WiMPI – the Windows Malware Protection Interface.  MS, in its typically heavyhanded way, thinks the best way to prevent bootkits is to control the competition entirely.

    No matter to me, as long as it can be disabled on “real” computers.  Windows ARM will not run “real” Windows programs, so I have no use for it.  I will spend my e-appliance money devices which run a leaner, lighter, open O/S.

  44. donovan acree says:

    Night now, no one knows how big the Linux install base really is. It’s all speculation since most people install Linux on a machine that originally had Windows.
    With this change, we may actually be able to get real numbers.

    • dragonfrog says:

      Nope – that’s not $99 per installed instance of an OS, it’s $99 per distinct version of an OS, regardless of installed base of that version.

      • donovan acree says:

         I get that @dragonfrog:disqus I’m more thinking that we can also look at how many machines are purchased without this new feature since that would pretty much be only non-MS installs.

  45. Cowicide says:

    So will Bill Gates offset all the lost money that won’t go to charities because of all the small business owners this hurts?

    (CowTip: Small business gives vastly more money to charity than large corporations do)

  46. The general public should be informed about this! If they don’t care about it Microsoft can do what they want. But if they buy a Windows 8 (boxy blocks) and don’t like it they are stuck with it, not even “downgrading” to Windows 7 or upgrading to Linux is an option. They should now that.. 

    • ZekeSulastin says:

       Do you know how I know you have no idea at all what you’re talking about, similar to most of the commenters?

      • No i’m so stupid and you are so smart…

        It’s just very easy for the OEM’s to lock the “BIOS” and the average user will not even no how to unlock if the EFI is accessible. So those people are stuck with Windows 8..

  47. Of course h(cr)ackers won’t stop hacking.. They will give hackers more happy hours.. :)

  48. brian mullan says:

    This has got to be illegal on Microsoft & the PC Manufacturer’s parts.
    I could see if the UEFI were managed by an independent open organization that could permit any legit request.
    But Microsoft holding the keys … that’s just wrong and got to be some sort of Monopolistic issue someone has got to take to court.

    • Microsoft is not holding all the keys, but if the only keys on a Windows 8 box are those from Microsoft than people are stuck.. And the OEM will be lazy, since they care about sales and not about users. Since the average user is ignorant about this they only will discover when it’s too late.

  49. I advice all Open Source advocates WorldWide just to migrate as many family members and friends to Linux or the more open OS X and ChromeOs… That could make a difference..

  50. Jens Alfke says:

    Jesus. The fact that you can decide you “hate” me or even know what “people like me” are like (not to mention making absurdly wrong guesses about my politics) based on two brief sentences I wrote, is kind of horrifying. I’d like to think BB readers are a bit more thoughtful or tolerant than that.

    If you want a little bit more perspective on what I meant, consider that the statement I quoted didn’t specify whether or not he owned (or had permission to do stuff to) those machines. I don’t want it to be impossible to change the OS on a computer, I just think having it be an easy one-click drive-by is a bit insecure.

  51. Andy Reilly says:

    Invalid argument there buddy. ” I don’t want it to be impossible to change the OS on a computer, I just think having it be an easy one-click drive-by is a bit insecure.”

    Installing an OS by booting from a USB stick is not a one-click drive by. 

    And you need to learn one of the most basic rules of computer security: Physical access to a machine implies root level access and complete control of that machine. 

    You can disable booting from thumb drives etc. in the BIOS and then password protect the BIOS on many machines. But no computer that you can gain physical access to will ever be secure FROM you. That’s why server cases have locks, server cabinets have locks, computer rooms have locks and data centers have locks. 

  52. Eric Rucker says:

    The trick is, Microsoft needs to keep machines secure from idiot users who have no business owning a computer, and really need an internet appliance.

    IMO, the correct answer is to have a jumper inside the case that allows the installation of OSes signed by someone who isn’t currently in the key store. That way, if you want to install something, you can break out the screwdriver and change a jumper, but still get all of the security benefits of Secure Boot.

  53. neroden says:

    “And you need to learn one of the most basic rules of computer security: Physical access to a machine implies root level access and complete control of that machine.”

    Yep.  This is why all this “secure boot” crap is just crap.

Leave a Reply