Saturday, October 29th 2011
Windows 8 Secure Boot: Handy Malware Backdoor for Nosy Governments?
We've written before how Microsoft's new secure boot feature in Windows 8 could likely be used to shut out competition and create the ultimate in walled garden consumer lock-ins - something that is very undesirable from a competition, price and consumer choice viewpoint. However, it now appears that governments could lean on Microsoft in order to install secret snooping malware on user's PCs.
Ross Anderson, professor of Security Engineering at the University of Cambridge Computer Laboratory, has written in the Light Blue Touchpaper blog, about this issue. He starts off by explaining how secure boot could limit the purchase Metro apps to only the official Microsoft app store, saying. "Even if users can opt out, most of them won't. That's a lot of firms suddenly finding Steve Ballmer's boot on their jugular." That sounds very well put and really doesn't paint a pretty picture, does it? It's exactly the same tactic as all these firms that require you to opt out of receiving their junk mail, toolbars etc when installing software, knowing full well that the majority won't.
However, this control can turn from monopolistic to sinister, because governments could potentially lean on Microsoft to give them an official key in order to install malware on user's PC's, which could be next to impossible to remove. The particular example he gives is that of Tubitak, the Scientific and Technological Research Council of Turkey, saying that he has removed their key from his web browser, but how would he identify all foreign governments' keys?
Anderson has also written an 8-page paper (PDF) entitled "Can We Fix the Security Economics of Federated Authentication?" which covers this problem in great detail.
The Free Software Foundation has also also started a petition against secure boot, which people are encouraged to sign.
Ross Anderson, professor of Security Engineering at the University of Cambridge Computer Laboratory, has written in the Light Blue Touchpaper blog, about this issue. He starts off by explaining how secure boot could limit the purchase Metro apps to only the official Microsoft app store, saying. "Even if users can opt out, most of them won't. That's a lot of firms suddenly finding Steve Ballmer's boot on their jugular." That sounds very well put and really doesn't paint a pretty picture, does it? It's exactly the same tactic as all these firms that require you to opt out of receiving their junk mail, toolbars etc when installing software, knowing full well that the majority won't.
However, this control can turn from monopolistic to sinister, because governments could potentially lean on Microsoft to give them an official key in order to install malware on user's PC's, which could be next to impossible to remove. The particular example he gives is that of Tubitak, the Scientific and Technological Research Council of Turkey, saying that he has removed their key from his web browser, but how would he identify all foreign governments' keys?
We've also been starting to think about the issues of law enforcement access that arose during the crypto wars and that came to light again with CAs. These issues are even more wicked with trusted boot. If the Turkish government compelled Microsoft to include the Tubitak key in Windows so their intelligence services could do man-in-the-middle attacks on Kurdish MPs' gmail, then I expect they'll also tell Microsoft to issue them a UEFI key to authenticate their keylogger malware. Hey, I removed the Tubitak key from my browser, but how do I identify and block all foreign governments' UEFI keys?Sounds nasty, doesn't it? This isn't something that anyone should want on their computer.
Anderson has also written an 8-page paper (PDF) entitled "Can We Fix the Security Economics of Federated Authentication?" which covers this problem in great detail.
The Free Software Foundation has also also started a petition against secure boot, which people are encouraged to sign.
84 Comments on Windows 8 Secure Boot: Handy Malware Backdoor for Nosy Governments?
and no
NONE of his post cite ANY facts 100% of his posts are conjecture or lose assumptions based on oddball sources and personal bias
I am done with this thread and pretty much any thread by qubit I can only hope that eventually something will be done before techpowerup's good name is ruined by people like him
techpower up does not report baseless-conjecture or link to sites like the above OR at least It never used to. if I wanted to read about WHAT IFS and MABYS and other assorted tin foil hat _news_ I would read slashdot or phoronix
and as much as I hate my self for using this card I can't think of any better way to put it
the foss user thought process
> disagree with lowly windows user > claim to be Superior > fail > blame Microsoft > tell everyone that mean ol corporations and "the man" are out to get them > be proven wrong by the majority of users >QQ
everyone of his posts is a mixture of assumptions and FUD he has YET you show any credible proof of anything he is reporting
every-post I read by him reads like he is desperately searching for a way to connect his dots in such a manor that gives credit to his theory anyone or anything that is coperate or not "open" is evil and is out to get himyeaaaaaaaaaaaaaaaaaaaaaaa take the tin foil hat off please
I should add that that kind of reporting is EXACTLY whats wrong with journalism today and its the kind of thing I can't stand
/out
- It's not possible to please everyone all the time. A lot of people appreciate my articles - thankyou :toast:
- You trash my news, but naturally offer no reasonable counter argument
- If you don't like my articles, then why do you read them and then whinge pathetically every time? They are very simple to avoid
- There's the comments section of TPU. If you have to whinge about them, do it there and quit crapping and derailing my news threads
- You say I'm talking rubbish, but that's just your opinion. I see nothing that makes your opinion more valid than mine and I know you don't either
- Please don't double post
- You really are very rude and offensive. How would you like it if someone kept calling for you to lose your job? You've already had some of your worst posts deleted. :nutkick: Get a life