

FSF: Campaign against windows 8 "secure boot" - sagarun
http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/

======
redthrowaway
This is an articulate, succinct article that clearly outlines the concern
without any FUD or name-calling. This is what I _want_ to see from the FSF,
and what would make me more likely to donate to them in the future.

I hate to turn this into an RMS rant, but this approach stands in stark relief
to his "iBad/iGroan/Swindle" theatrics. This, I can appreciate. This, I can
get behind. I just wish that these kinds of articles and press releases were
what the FSF was most known for.

~~~
dasht
I don't think you really mean this: "I hate to turn this into an RMS rant". If
it was true that you didn't want to turn it into an RMS rant, then why did you
do exactly that?

The "theatrics" you refer to -- picking alternative, damning names for
treacherous computing devices -- are very much present in this article:

Instead of "Secure Boot," the article says, if the vendors implement it in a
way that deprives users of control, we should call it "Restricted Boot". Even
the reason for the alternative name is similar to the reasons in those other
campaigns.

So, the "name-calling" is there - to help people remember the issue.

Is FUD present in any of these campaigns? "FUD" is a derogatory name for
negative statements that drum up _false_ fears, uncertainties, and doubts. In
these various FSF campaigns, the fears, uncertainties and doubts are all quite
realistic.

~~~
redthrowaway
"Restricted Boot" is a perfectly good name for a BIOS replacement that would
only allow you to install pre-authorized OSes. "iGroan/iBad/Swindle" is
immature playground nonsense.

As for not wanting to turn my post into an RMS rant but doing so anyways, I
felt it was germane to the submission. You're free to disagree, but there's
nothing inconsistent about having reservations about something you're doing.

------
kogir
> The threat is not the UEFI specification itself, but in how computer
> manufacturers choose to implement the boot restrictions.

Exactly. When Apple shipped the first Intel Macs without Boot Camp, there
wasn't outrage that Windows/Linux couldn't boot; People that cared just didn't
buy them. Just don't purchase a computer that has been crippled by the
manufacturer.

It will still be possible to build your own computer - OEMs will only bother
to certify entire systems, and bare motherboard sales won't be affected by
Windows Logo Certification since the class of users who build their own
computers don't even notice marketing programs like that.

It's also likely that many, perhaps even most, certified systems will offer a
means to disable or customize the secure boot functionality. You can disable
Computrace, TPM, and Intel ME on virtually all machines that ship with them.
This should be no different.

~~~
mhw
The problem is not that enthusiasts who want to run an open source operating
system won't be able to choose appropriate hardware to run that OS. The
problem is that Secure Boot may remove the option of buying a Windows PC and
then at some later time deciding that you want to run an open source operating
system on it from those who weren't thinking about open source operating
systems to begin with.

At the moment, every PC sold is a potential target for a Linux distribution or
other open source operating system, and hence every PC sold increases the size
of the potential market. Secure Boot has the potential to disrupt this: a PC
with Secure Boot may deny the owner the ability to install and run an
unauthorized operating system. This could significantly reduce the potential
market for open source operating systems.

Look at it this way: at the moment if your mum/dad/grandparent/whoever is
willing to try a different operating environment, you can install pretty much
any Linux distribution (or other open source operating system) on their
hardware, or if they can do so themselves. And by 'can' here, I don't just
mean that you personally are able, but also that the original manufacturer
allows that kind of thing to happen.

In the future, computer manufacturers may sell computers to people on which
you (or they) will no longer be allowed to install an open source operating
system for them to try out, even if they want to.

~~~
keithpeter
I would also like to mention the common use of Linux on recycled or older
computer hardware. There is a mountain of hardware sitting in warehouses or
going into landfill. Many of these machines are usable with Linux. If
restrictive boot-loaders become common on consumer grade hardware, that option
is closed off.

~~~
bad_user
This is a win for computer makers -- why recycle old hardware when you can
throw it away to buy new stuff?

~~~
bergie
A lot of the second-hand computers go to charities, and end up in schools of
developing countries, etc. These are often places that wouldn't be able to
afford computers otherwise.

On long term, the people who learn computing this way may be a market for new
computers, and that makes it good for computer manufacturers.

Besides that, computers in a landfill is a terrible idea, ecology-wise.

~~~
rbanffy
Most CEOs don't think long-term. By the time long-term arrives, they'll have
moved on to other companies.

They would probably prefer government programs to let those places buy new
"modern" computers right now.

------
seclorum
We have already seen this before .. I have a stack of Panasonic Toughbooks
that have a locked BIOS configuration, and absolutely nothing can be done with
these machines (they were thrown away, stupidly) because nobody knows the
password to re-configure them to boot properly. The BIOS is completely locked
down.

So, we will start to see this happen on a broader industry scale, and in my
opinion the benefits of "secure boot" definitely do not outweigh the liability
of making hardware that won't be useful in the future, simply because 'the OS
it originally had on it was such utter shit to require such measures in the
first place'..

~~~
cubicle67
Is it possible to reset the bios? Back in my pc repair days it was possibly by
shorting two pins on the motherboard, usually they were near the bios battery

~~~
thomaslangston
Alternatively, removing the BIOS battery and then reflashing the BIOS chip was
an option. A scary, unreliable option because reflashing wasn't always
possible and you didn't really know for sure until you tried.

~~~
seclorum
Nope, this cannot be done with these Toughbooks - there are fuses in a
surface-mount package that are programmed with the secret key and the BIOS
cannot be reset with 'traditional' remove-the-battery hacks - these fuses
either have to be read out, or the package needs to be replaced.

Its a huge hassle and a dire waste of hardware to have this occur and I
personally do not look forward to a future where the whims of a despotic
software company dictate what we can do with our possessions. Oh, wait ..

------
rbanffy
I think we should fear Microsoft lowering OEM licensing prices for
manufacturers who remove the option to disable secure boot. They'll probably
justify that by claiming it will help reduce piracy and support costs and say
that it helps bring computers to more people.

~~~
zokier
_Microsoft supports OEMs having the flexibility to decide who manages security
certificates and how to allow customers to import and manage those
certificates, and manage secure boot. We believe it is important to support
this flexibility to the OEMs and to allow our customers to decide how they
want to manage their systems._

source: [http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-
the...](http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-
environment-with-uefi.aspx)

~~~
rbanffy
Get back to me when Dell includes the certificate I use to sign the Linux
kernels I compile here.

This only allows other companies that offer proprietary OSs that run on x86
PCs to try to persuade OEMs to include their certificates in the trusted
certificate list. It's great news for... mostly nobody.

------
doki_pen
I always suspect the entertainment industry behind stuff like this. I know the
only reason Netflix doesn't run on Linux(even though it runs on ChromeOS,
which is linux) is because it is open source. With "secure boot", they could
be sure there is no way for you to do anything with the video/audio stream
except watch or listen. I think this is the real reason behind this madness.
The compromise will be that your hardware will still run, but certain features
will be missing without an "approved OS".

~~~
dasht
Some publishers of various kinds of media welcome the idea of treacherous
computing for exactly the reason you suggest: If enough people agree to buy
broken computers - so broken that they can not be programmed to copy certain
files, for example - then big music companies, book companies, movie
companies, etc. all have an easier time. They can, as you say, deliver content
only on these broken devices, leading more people to give up their software
freedom in exchange for more convenient access to TV or tunes.

It doesn't stop there, though. Some software vendors _also_ like these
restrictions. With treacherous computing, vendors can make themselves the
exclusive providers of software and enjoy monopolistic pricing. In contrast,
consider that the cost of a complete operating system for a non-broken
computer starts with many decent options at a price of $0.

Treacherous computing also makes it easier for software vendors to monitor
their users in ways that users can't control and might not even notice. There
is no way, for example, to tell some devices not to "call home" and betray a
users privacy to their vendors.

So it's a convergence of reasons, not just the "entertainment industry" (I
guess you mean a few big companies, not everyone who sells entertainment)
behind the thing.

~~~
sounds
Well said.

------
sagarun
please don't forget to sign the statement
[http://www.fsf.org/campaigns/secure-boot-vs-restricted-
boot/...](http://www.fsf.org/campaigns/secure-boot-vs-restricted-
boot/statement)

~~~
adamc
Hmm, tried and the page hung. Will try again later.

------
mikerg87
This is FUD. Is windows 8 shipping? No. Are there any systems in the wild
locked to windows 8. No. Have any vendors come out and said they plan to
restrict FOSS from booting so I know who not to do business with? No.

Call me back when someone has actually locked out FOSS.

~~~
elehack
I can't get to the article, so I haven't read it yet and can't comment on it
specifically. However, pre-emptive concern is not necessarily FUD. A little
sabre-rattling can send a signal to manufacturers that they need to provide an
option to disable secure boot or they will tick off a vocal customer base.
Waiting until someone has actually locked out alternative operating systems is
somewhat too late; the point is to prevent them from doing it in the first
place.

------
aespinoza
A lot of the comments, and some articles regarding the issue pose the idea
that Microsoft is trying to restrict users from installing other Operating
Systems in their own machines.

I personally doubt that is the case. Microsoft has bigger problems, and I
don't think they are trying to block other OSes (especially Linux).

Even so, I don't think the "Secure Boot" implementation will get traction. I
think, that even though it s a good idea for malware protection, the execution
and wide adoption is not that easy. I believe the "Secure boot" thing won't
get very far.

Regarding the FSF, I won't comment, I think RMS has tainted enough for me.

~~~
mattmanser
I think you've missed the salient point:

 _if computer makers wish to distribute machines with the Windows 8
compatibility logo, they will have to implement a measure called "Secure
Boot."_

I obviously have no idea how much that little sticker is supposed to be worth
in terms of sales in store, but if Dell, say, complies while others do not
they can legitimately claim 'only our computers are windows 8 compatible'.

MS is targeting the distribution with this, not the end user, so traction is a
lot easier to get.

~~~
srdev
Yes, they'll have to implement Secure Boot if they want the little Windows 8
sticker. There's nothing there that says they can't provide an option to turn
it off. All arguments make the assumption that Secure Boot is required to be
on at all times and not just on on-by-default option.

~~~
wmf
Turning off secure boot adds a (scary) step to the process of installing an
OS, which will be enough to dissuade some users from trying.

------
robot
This is also what we have on mobile devices today. The real burden on mobile
seems to be the carriers. I hope it changes real soon.

------
teyc
Let me explain why secure boot/trusted computing matters for me personally.

More of my life is conducted on a computer than ever. My family photos,
banking transactions, files are all stored on a computer. Meanwhile, Flash and
Adobe Reader installs security updates on a regular rhythm. I need my PC to be
secure from drive-by downloads.

Getting linux to run is a secondary issue, as much as I value software
freedom.

~~~
kragen
You should not be running Flash and Adobe Reader on a computer that has access
to your banking transactions and family photos! Secure boot won't help with
that!

~~~
teyc
True. Those things should run in a VM.

