
Support the FSF: Help us stop Restricted Boot - mtgx
http://fsf.org/campaigns/secure-boot-vs-restricted-boot/2012-appeal
======
sounds
This article has a better list of Linux OEMs than I've ever seen before.
(Yeah, yeah, I need to get out more :)

• Freedom Included <http://freedomincluded.com>

• Garlach44 <http://garlach44.eu>

• InaTux <http://inatux.com>

• Lemote <http://lemote.com/en>

• Los Alamos Computers <http://laclinux.com>

• System76 <https://www.system76.com>

• ThinkPenguin <http://thinkpenguin.com>

• ZaReason <http://zareason.com>

~~~
wmf
Actually I think those OEMs need to get the word out more. It's not the
customers' fault if a company has such poor marketing that prospective
customers haven't even heard of it.

~~~
sounds
Sure.

But I want them to succeed-I'm willing to give them a little free publicity.
(Emphasis on a little)

------
geofft
The FSF's attitude towards new technologies seems awfully reactionary (this is
somewhat unsurprising when you remember that rms doesn't use a web browser;
occasionally he emails interesting-sounding URLs to a service that emails them
back to him in plain text, and he only checks email once a day).

Secure Boot where you can only run Microsoft-approved software is bad for
software freedom, no question about it. Secure Boot as defined by the spec,
where there is no requirement to have preloaded MS keys and where users
explicitly can load their own keys, is absolutely _good_ for software freedom
-- it makes the "evil maid" attack much, much harder. (The "evil maid" attack
on full-disk encryption involves someone having access to your computer while
it's off, and trojanning the bootloader and having it leak your disk password
or the contents of the disk once your system boots. People naively expect
full-disk encryption to stop this, but it's as easy as booting from a CD or
thumbdrive. With secure boot, it involves physically opening the case and
probably replacing chips.)

Let's make sure that Secure Boot stays good for software freedom, instead of
throwing out the technology along with the policy, and leaving users with no
defense against this sort of attack.

~~~
ajross
How many consumer systems have been the victim of evil maid attacks in
practice? How many have been infected via browser (or other client)
vulnerabilities that never touch the kernel nor interact with a "secure" boot
implementation?

Secure boot exists primarily because it provides a "feel good" answer to
content providers about the feasibility of DRM. It's not an answer to real
world security issues and never has been.

~~~
geofft
Secure Boot does not implement DRM or help in any way for DRM, as it turns
out. Secure Boot is about the hardware trusting the OS it's about to boot, not
about the OS trusting the hardware it's running on. Once the OS has booted, it
has no way to figure out if the "you were secure-booted" flag is trustworthy
or not -- a trojan bootloader can easily set that flag and then chainload to
the normal OS.

If you want the OS to trust the hardware it's on, you need a TPM, and you
probably need the machine to be installed by someone who can communicate with
the content provider. The entire point of Secure Boot is that it can be
implemented just in existing UEFI code, _without_ the additional hardware of a
TPM.

I develop an OS product that has no browser installed on it at all -- there's
one small client application that just interacts with our one server product,
and then boots everything else you might want to do in a VM. The biggest
threat to the security of our outer layer is, in fact, an evil maid attack.
It's certainly worth being aware of that threat, even if there are other,
bigger threats. (Nobody says that we should stop worrying about buffer
overflows while there are still cross-site scripting attacks, etc.)

~~~
ajross
I didn't say it "works". What I said was basically: Secure boot answers the
question "How do I know someone won't write a crack to steal my content?" in
an intelligible way (i.e. "Because it locks down all the software that runs on
the device in an uncrackable way.")

That's a powerful sales tool. Systems that don't have secure boot have a much
harder time selling their DRM implementations. And that's why we have secure
boot. Don't fool yourself into thinking all problems are technical.

------
pi18n
Secure boot is fantastic for users __IFF __they can change the master keys on
the hardware. But you would have to be a complete idiot to trust that
Microsoft or Apple would allow that for any longer than it takes to make the
hardware ubiquitous; then the iron bars come crashing down around us.

I wish the best of luck to FSF in stopping this. I don't have much I can
donate, but I hope my little bit of support will help them.

------
JoshTriplett
While the name "Secure Boot" seems like horribly misleading doublespeak, this
still seems like a case where giving something a more descriptive name results
in less effective communication. Calling it 'UEFI "Secure" Boot' would have
sufficed, along with _describing_ it as "restricted boot", but attempting to
rebrand it seems like an ineffective and actively harmful marketing tactic
here.

~~~
Karunamon
They're only trying to redefine the label to fit what the software actually
does. A strong argument could be made that the name as commonly accepted is a
misnomer considering what the endgame is.

Digital "rights" management is not about your rights, it's about restricting
you from doing what you want with your content. Hence the R in DRM now means
"restriction".

Same concept here.

~~~
JoshTriplett
I agree with you entirely that the generally recognized name doesn't fit;
however, I still think it seems counterproductive to attempt to rebrand it.

"Digital Restrictions Management" worked better, because it still abbreviates
as DRM so nobody goes "huh?" when you say it. "Restricted Boot" needs an
accompanying explanation to tie it to the official name of 'UEFI "Secure"
Boot', which makes the attempted rebranding counterproductive.

------
CurtMonash
As long as there is robust availability of hardware on which you can install
your preferred software, why should EVERY bit of hardware offer that feature?

~~~
chimeracoder
Because EVERY piece of hardware that I have bought is mine, and that means I
should be able to do what I want with it.

------
jf
Reminder for Microsoft employees: Remember that Microsoft matches donations to
501(c)(3) non-profit organizations.

~~~
temac
Reminder for Microsoft employees: if you are going to support that, you should
has well quit (maybe after having done a donation :p )

------
k-mcgrady
I disagree with secure boot on regular desktops but I'm not sure how I feel
about it on ARM devices (specifically tablets). I feel like the only people
who are going to change the OS on a tablet are geeks - it won't affect
ordinary consumers who won't want to change the OS especially as tablet
hardware and software is so integrated.

Is it possible to hack this or will it even affect geeks who do want to
install the OS of their choice?

~~~
mtgx
Why make the difference between the two? What's so special about tablets that
they deserve restricted boot, but PC's do not? They're just all computers.
What's worse is that in the future these computers will be a lot more popular
than PC's ever were. That means more people will be restricted by default.

Most tablets and phones just happen to come with a different chip
architecture, but there is nothing inherent to them that demands they should
be restricted compared to the x86 alternatives.

~~~
tzs
One major difference between phones and desktops is that phones are often
subsidized.

~~~
josteink
So are computers with their "free" antivirus included. But let's not care
about that.

Why should that make a difference?

------
ollysb
This really seems like something the market could decide. If there's a large
group of people that want an alternative would the opportunity not be great
enough for a new company to fulfill it? Who are the restricted bootloaders
actually harming? There's still plenty of choices for people that want to
install linux on a box and I don't see that this choice will disappear any
time soon.

------
secondChrome
So I'll step up and be "that guy" who points out they accept Bitcoin
donations. 1BTC sent.

------
DasIch
I'm somewhat optimistic in that the EC will tackle this problem and if they do
they will have a much better chance at being successful than the FSF.

------
Surio
[deleted as it adds no value]

------
recoiledsnake
>We will fight Microsoft's attempt at enforcing Restricted Boot on ARM devices
like smartphones and tablets. Like any other computer, users must be able to
install free software operating systems on these devices. We will monitor
Microsoft's behavior to make sure they do not deceive the public again by
expanding these restrictions to other kinds of systems

I love how Windows RT devices which are struggling to ship a couple million
are "ARM devices" but there is absolutely no mention of tens of millions of
iPads, Kindle and some other Android tablets being sold with locked
bootloaders.

Same with phones, are WP8 phones with a 3.5% marketshare(albeit increasing) a
much bigger threat to user and software freedom than iPhones? Atleast with
Microsoft you have the choice of OEMs, whereas with Apple you have no freedom
of choosing the manufacturer. I think mentioning Apple undermines their point
in such a serious way that the FSF(and Mozilla) hasn't mentioned it any of
their long blog posts on Secure Boot.

Also, with the PCs sold being mandated by Microsoft to have a way for an end
user to disable Secure Boot and Add/Remove their own keys, the user is
completely in control and can even remove Microsoft's key if they so wish.

US $350,000 is a LOT of money to waste going after this, imagine what could be
done with that money if it was spent on things like OpenOffice, Samba and
other projects sorely lacking in money and resources. I think this is an
exercise in baiting Microsoft haters part with their money rather than any
productive exercise to increase computing freedom. I hope donators consider
better uses of their money.

~~~
josteink
Yeah. I find it odd that despite Apple winning the world-championship in
patent-trolling and is leading the fight for closed systems and walled
gardens, FSF still decides to go after anyone but Apple.

Despite this tarnished image of a former tech-innovist, does the FSF really
still feel it's impossible to fight the _root evil_ here because of public
perception?

Is it only picking on Microsoft because that is easier to amass support
against?

We, as hackers and developers, should support this. We should fight closed
systems. We should fight against the forces against general purpose computing
(Cory Doctorow has a nice speach on this) and we should fight those who seek
to criminalize writing code because somewhere some troll has a vague patent
with no implementation covering your work.

So yes. Support the FSF on this. But also boycot those who are the chief
offenders here. Every dollar spent in an Apple-store is money spent _against
the core of your profession_. Stop spending money there. And throw away your
iPhones and Macbooks. They are bad karma and software blood-money.

~~~
danieldk
_We should fight against the forces against general purpose computing_

I have very mixed feelings about this very topic. As a developer, I completely
agree with you. Hardware should be hackable and software replaceable.

But there's also another side: computing has become _a lot_ easier for the
average user. E.g. the iPhone and the iPad were the first computers that my
mother really grasped and was able to use comfortably on her own. The limited
walled garden approach to computing ensures that she doesn't accidentally
install malware, etc. In the end, I think the secure, walled gardens are
useful to the average user.

Of course, the inherent danger is unfair competition - the gatekeeper can
decide to reject software whenever it wants and impose fees and crazy rules.
Since in EU, we are not completely adverse to government intervention, I think
it is best that the European union would regulate such walled gardens, e.g. by
limiting the percentage that the gatekeeper can charge, by requiring that the
gatekeeper accepts all software that is not malicious, and requiring that a
method should be required to unlock hardware. I that putting think such
regulations into place will be much more effective than fighting windmills.

~~~
mtgx
I think that argument is bogus. Having a way to sideload apps in your device
or being able to install a different OS, doesn't make grandma more likely to
get malware. It's the same model Apple is using in Mac OS X, too, now.

Grandma will still use the same OS, and will still install apps from the app
store, never knowing that she can even install apps from other places, and it
will be just as easy as it if were without that sideloading option. Having the
_option_ to do other things doesn't interfere with any of that.

And even if it does change things a little in some extreme cases - but
everything has its positive and negative sides. Everything. At the end of the
day you have to decide which gives the greater benefit. And I think having
"open" computing systems over completely closed ones, offers the greater
benefit in the long term, just like having an open (also could be read as
malware-filled, and cybercriminals-filled) Internet in the end if is of much
greater benefit than having one fully controlled by the government and
companies.

~~~
SoftwareMaven
Now compare the difference in malware between OS X and Android. There appears
to be a correlation between how easy it is to circumvent the walls and the
amount of malware within the garden.

I'd love to see some real research on causality here, though, because
correlation obviously doesn't imply causation (though it is a reasonable
hypothesis, IMO).

~~~
sounds
Android malware takes advantage of the same social "hole" that makes Windows
so prone to malware: security is practically impossible when the OEM doesn't
care, the OS maker's hands are tied, and the end user doesn't have any other
option.

I believe Cyanogenmod users have a much better security track record for the
same social reasons that Desktop Linux users have better security. Case in
point: the exynos root exploit was patched quickly for Cyanogenmod users [1].
It may never be patched for "the rest of us."

[1] [http://androidheadlines.com/2012/12/cyanogenmod-team-
introdu...](http://androidheadlines.com/2012/12/cyanogenmod-team-introduces-
fixes-for-exynos-exploit.html)

