On 13/06/12 20:30, Graham Anderson wrote:
On Wednesday 13 Jun 2012 15:21:12 Basil Chupin wrote:
So why, suddenly, is this UEFI-thing come to the forefront? Nobody knew about this UEFI-thing beforehand, and now, out of the blue, Microsoft comes out with it - and everybody is supposed to go into panic mode?
Has someone been "asleep at the wheel", or am I missing the point about all this? This is not a new or unexpected innovation. This is an extension of the Palladium/TMP/Trusted Computing[1] innitiative to lock down computers so that only software in userland can be run without the absolute permission of the hardware and operating system vendor.
There are numerous real life applications for this technology such as intelligence, millitary, anti-malware, digital rights restrictions and so forth. The list of companies contributing to this in the link provided should raise a few eyebrows at least, for some of them this is about security, for others this is about control. None of it is about freedom of computing.
The objections that many, including myself, have to this technology is that you are absolutely handing control of your hardware over to a select band of corporations and their vested interests by enabling secure boot via TPM, signed boot loaders and kernels.
This technology may prove to be both a blessing and a curse. On one hand you can reduce the attack vectors and make computer systems more secure; on the other hand consumers are now having to ask permission from technology corporations, and by extension the interests that pressure them (entertainment corporations, governments, intelligence services etc...) to use the hardware you already own.
Additionally, how can you trust the harware implementation to not have back doors[2] in it anyway? And do you really trust the certificate authority given that some of root CA's in SSL chains have already been giving out generic certificates for cash for the express purpose of man-in-the-middle attacks. Do you trust Verisign to never give their signing keys to the US Government or intelligence services? Do you trust them enough to assume that no other nation state such as China has not already compromised them and can appropriate the signing keys?
The implications for free software, privacy and industrial espionage may be far reaching and severe. How do you know what your hardware is doing if you cannot interrogate it without permission? How do you know what your operating system is doing if you cannot run code in kernel space without permission?
Yes, I'm paranoid, but history, corporate behaviour and growing evidence suggest that I'm probably right to be so.
No need to feel that you are paranoid about this, Graham. It is exactly how I feel - and there must be tens of thousands of others as well who feel the same - about the whole thing. I can almost guarantee that if this scheme was deviced by some company in China then the whole sheebang would be ridiculed, thrown out of consideration as a cyber warfare weapon and what not.
[1] http://en.wikipedia.org/wiki/Trusted_Computing_Group [2] http://en.wikipedia.org/wiki/Huawei#Security_concerns
BC -- Using openSUSE 12.1 x86_64 KDE 4.8.3 and kernel 3.4.2 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel Corsair "Vengeance" RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX550Ti 1GB DDR5 GPU -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org