
Bungling MS singlehandedly proves that golden backdoor keys are a terrible idea - ghosh
http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/?mt=1470827608472
======
koolba
> These skeleton keys can be used to install non-Redmond operating systems on
> locked-down computers. In other words, on devices that do not allow you to
> disable Secure Boot even if you have administrator rights – such as ARM-
> based Windows RT tablets – it is now possible to sidestep this block and
> run, say, GNU/Linux or Android.

What's the point of disabling the ability to install another OS?

I can understand having a bit (that you can flip) in the BIOS that prevents
accidentally or maliciously overwriting the boot sector of an OS. But what's
the point of completely preventing it? What does it accomplish besides
neutering the device and pissing off people that are trying to replace the OS?

~~~
acdha
> What's the point of disabling the ability to install another OS?

It comes down to the trusted base concept: once the OS is running, it can
provide strong assurances to prevent unauthorized code from running but that
can't protect against malicious code starting before the OS. An attacker could
use the built-in virtualization support on most modern CPUs to load your
normal OS and, with care, make it extremely hard to tell that all of your
actions are compromised. Some people like that because it could be used to
attack DRM schemes but it could also be used to record keystrokes, steal
crypto keys, install ransomware which waits for the user to be utterly hosed
before triggering the payment prompt, etc.

Having the firmware verify every bit of code before executing it avoids that
problem but that poses the problem of having a trusted signing key which needs
to be managed – imagine the mess if, say, Dell's key leaked – and poses the
problem of getting new keys on the list for legitimate purposes (e.g. booting
Linux) but not making it realistic for malware to do the same thing. I'd like
to see some sort of government regulation requiring the latter but having some
fairly cumbersome process to complicate social engineering attacks (e.g.
reboot while holding down a switch, answer a prompt that you understand this
will expose all of your personal data to the new OS, etc.).

This is also why Intel is introducing things like SGX - note the selling
points on [https://software.intel.com/en-
us/sgx](https://software.intel.com/en-us/sgx):

> * Remains protected even when the BIOS, VMM, OS, and drivers are
> compromised, implying that an attacker with full execution control over the
> platform can be kept at bay

> * Benefits from memory protections that thwart memory bus snooping, memory
> tampering and “cold boot” attacks on images retained in RAM

~~~
the8472
If disk encryption keys are tied to the secure boot keys then you can maintain
security and freedom at the same time. Swapping in user-supplied signing key
would render the disk unreadable and thus protect the existing data from being
attacked by malware.

Don't drink their coolaid if they're trying to convince you that they're
restricting your freedom in the name of security.

~~~
acdha
Please think things through more before accusing other people of drinking
flavor-aid. If you re-read my comment, note that I was describing how it
worked and the problem it solved, and the closest I came to endorsing a side
was in favor of the government preventing manufacturers from locking users
out. What you proposed still depends on something like secure boot but could
be a way to satisfy that mandate by preventing manufacturers from arbitrarily
restricting the configuration.

~~~
the8472
I did read it as you saying that vendor-lockin is a _necessary_ component
instead of an implementation decision.

To me the lockdown of windows RT devices does not seem like security motivated
at all, considering that secure boot and TPMs in PCs share much of the same
security architecture but do allow key swapping. It's more likely motivated by
subsidized devices.

That's why your given answer to the question why there is an OS lock-in struck
me as coolaid.

------
wheaties
This is a well written piece that has enough tech mumbo-jumbo to scare the
non-tech literate person away. I enjoyed it but are there other, more widely
accessible scare pieces out there? It's this kind of thing that needs to reach
privacy conscious people so that we can stop governments from mandating stupid
stuff like backdoors.

------
brudgers
It's backdoors all the way down to the turtle:
[https://news.ycombinator.com/item?id=11913379](https://news.ycombinator.com/item?id=11913379)

