On Thursday, June 14, 2012 11:27:30 PM Basil Chupin wrote:
On 13/06/12 20:30, Graham Anderson wrote:
On Wednesday 13 Jun 2012 15:21:12 Basil Chupin wrote:
So why, suddenly, is this UEFI-thing come to the forefront? Nobody knew about this UEFI-thing beforehand, and now, out of the blue, Microsoft comes out with it - and everybody is supposed to go into panic mode?
Has someone been "asleep at the wheel", or am I missing the point about all this?
This is not a new or unexpected innovation. This is an extension of the Palladium/TMP/Trusted Computing[1] innitiative to lock down computers so that only software in userland can be run without the absolute permission of the hardware and operating system vendor.
There are numerous real life applications for this technology such as intelligence, millitary, anti-malware, digital rights restrictions and so forth. The list of companies contributing to this in the link provided should raise a few eyebrows at least, for some of them this is about security, for others this is about control. None of it is about freedom of computing.
The objections that many, including myself, have to this technology is that you are absolutely handing control of your hardware over to a select band of corporations and their vested interests by enabling secure boot via TPM, signed boot loaders and kernels.
This technology may prove to be both a blessing and a curse. On one hand you can reduce the attack vectors and make computer systems more secure; on the other hand consumers are now having to ask permission from technology corporations, and by extension the interests that pressure them (entertainment corporations, governments, intelligence services etc...) to use the hardware you already own.
Additionally, how can you trust the harware implementation to not have back doors[2] in it anyway? And do you really trust the certificate authority given that some of root CA's in SSL chains have already been giving out generic certificates for cash for the express purpose of man-in-the-middle attacks. Do you trust Verisign to never give their signing keys to the US Government or intelligence services? Do you trust them enough to assume that no other nation state such as China has not already compromised them and can appropriate the signing keys?
The implications for free software, privacy and industrial espionage may be far reaching and severe. How do you know what your hardware is doing if you cannot interrogate it without permission? How do you know what your operating system is doing if you cannot run code in kernel space without permission?
Yes, I'm paranoid, but history, corporate behaviour and growing evidence suggest that I'm probably right to be so.
No need to feel that you are paranoid about this, Graham. It is exactly how I feel - and there must be tens of thousands of others as well who feel the same - about the whole thing.
I can almost guarantee that if this scheme was deviced by some company in China then the whole sheebang would be ridiculed, thrown out of consideration as a cyber warfare weapon and what not.
[1] http://en.wikipedia.org/wiki/Trusted_Computing_Group [2] http://en.wikipedia.org/wiki/Huawei#Security_concerns
BC
Being paronoid is smart on these days. Trying not to be is not so smart. We need clear criteria to know that. There is enough technological devices tracking or collecting data from us every moment. Some of those devices are not user controlled. In other case, we pay some services to be tracked or collecting our data. OTOH, In case anyone is interested. The last reflections Mathew Garrett has posted about SecureBoot on this link http://mjg59.dreamwidth.org/13061.html Regards, -- Ricardo Chung | Panama Linux & FOSS Ambassador openSUSE Projects -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org