Why do Linux fanatics want to make Windows 8 less secure?

Why do Linux fanatics want to make Windows 8 less secure?

Summary: Windows 8 isn't even in beta yet, and already the FUD is flying fast and furious. A small group of activists are whipping up controversy over the UEFI secure boot feature even as they admit the feature is "valuable and worthwhile." Here's the real story.

SHARE:

The FUD is flying fast and furious over Windows 8, and the OS isn't even in beta yet.

The Free Software Foundation (FSF) is organizing a petition-signing campaign over Microsoft's announced support for the secure boot feature in next-generation PCs that use Unified Extensible Firmware Interface (UEFI) as a replacement for the conventional PC BIOS. My ZDNet colleague Steven J. Vaughan-Nichols is urging his readers to sign the petition with a bit of deliberately inflammatory language, calling it "UEFI caging."

The crux of their argument is that Microsoft is deliberately requiring a change in next-generation hardware that will make it impossible to wipe off a Windows installation and install Linux. They are wrong, and their effort to whip up public fury is misguided at best and cynical at worst.

Allow me to illustrate by turning the argument around in an equally cynical way, with an equally inflammatory rhetorical flourish:

People who make their living in the Linux ecosystem are demanding that Microsoft disable a key security feature planned for Windows 8 so that malware authors can continue to infect those PCs and drive their owners to alternate operating systems.

Oh, wait. Now that I think about it, that's actually pretty close to the truth.

The most disappointing part of this whole phony controversy is that its ringleaders have managed to suck in some people who should know better. Like Ross Anderson, Professor of Security Engineering at the University of Cambridge Computing Laboratory, who wrote this last month:

I hear that Microsoft (and others) are pushing for this to be mandatory, so that it cannot be disabled by the user, and it would be required for OS badging.

This is grossly incorrect. It is disappointing that a university researcher who should believe in scientific rigor and respect for facts would spread a rumor that begins "I hear that..."

He continues:

The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate. It is clearly unlawful and must not succeed.

This is pure FUD.

Here's the reality. Malware authors are getting more creative and more vicious. A rootkit that can infect key operating system files can hide itself so thoroughly that it is virtually impossible to detect. The TDL4 rootkit is probably the best known and most deadly of the bunch. It can patch the Windows Boot Configuration Database, overwrite key system modules, and disable driver signing requirements, just for starters. It is a nightmare to clean up.

The secure boot feature pulls the rug out from under this rootkit and everything like it. Those key boot files that the rootkit tampers with are digitally signed. With Secure Boot enabled, any modification to those files is detected at startup by the UEFI code-signing check, and the system stops in its tracks. Rootkit foiled, user protected, recovery possible.

As my colleague Mary Jo Foley has noted, the initial reports came from an employee of Red Hat Linux who acknowledges that "UEFI secure boot is a valuable and worthwhile feature."

Page 2: What do the BIOS makers say? -->

<-- Previous page

The question to ask anyone who tries to sell you on this bit of FUD is "Why?" Why would Microsoft even care whether this option is available? They care about the 99% of PC buyers who purchase systems with Windows preinstalled. They have no economic incentive to mess with the microscopic percentage of the PC market that uses Linux.

Microsoft has specified that this feature must be enabled by default for new systems that are sold with Windows 8 to qualify for logo support. OEM sales historically represent more than 90% of all Windows sales, making this a crucial requirement. If this feature has to be enabled manually by users, or if OEMs have the option to install Windows 8 with this feature turned off, the security feature is meaningless.

So the real question becomes this:

Will PC makers make it possible for end users to toggle this option in the UEFI settings?

And the answer is painfully obvious:

Of course they will. They would be insane not to.

A non-trivial percentage of PC buyers will want to replace the installed operating system with either an older Windows version or an alternate operating system (like Linux). If they are unable to do so, they will call the manufacturer's support line asking why this seemingly simple task cannot be accomplished.

PC profit margins are razor thin. A single 10-minute support call can eat through the entire profit that an OEM makes on a computer sold in the retail channel. If the call goes on for long enough, it gobbles up the profit for 10 PCs.

I asked a spokesperson for AMI, one of the largest makers of BIOS and UEFI firmware, for a statement on this issue. Here's what I was told:

The decision on making secure boot open to the user is in the hands of the OEM.

Just as was/is the case with legacy BIOS, it is up to individual OEMs to decide what features are enabled on their specific platforms. Speaking specifically about Windows 8, since Microsoft has announced that they would like secure boot enabled by default, OEMs seeking to enter the Win8 market will likely ensure that secure boot is enabled on their platforms. Since secure boot can be enabled / disabled by the user if the OEM makes this available, I would imagine that many OEMs will keep this option open to their users in order to appeal to a wider cross-section of users.

I can say that generally speaking, AMI will advise OEMs to provide a default configuration that allows users to enable / disable secure boot, but it remains the choice of the OEM to do (or not do) so. [Emphasis added] 

In AMI's case, OEMs use a simple toolkit to build a BIOS. The Aptio UEFI Firmware tool is an integrated development environment, with debug tools, utilities and the like. OEMs can get the most out of their BIOS development and make platform-specific customizations and enhancements. The option to enable/disable secure boot is, literally, a check box.

Here is what Microsoft has to say specifically about the secure boot requirement and Windows 8 certification:

For Windows customers, Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8 have secure boot enabled by default, that firmware not allow programmatic control of secure boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent unauthorized attempts at updating firmware that could compromise system integrity.

[...]

At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.

In the Samsung tablet that Microsoft gave paid attendees at the BUILD conference, the Secure Boot option was enabled, but the toggle was right there in the settings. I am confident this will be the case with virtually every new PC sold in the Windows 8 timeframe. Any PC maker who does otherwise is shooting themselves right in the foot.

I expect this sort of FUD from the Free Software Foundation. They have a longstanding reputation for hysterical reactions to everything Microsoft does. I vividly recall their deliberately misleading, technically absurd, and factually inaccurate FUD campaign over Microsoft's support for the MP3 format in 2010. This is more of the same.

I expect better from academics at an institution like Cambridge.

Don't fall for this FUD.

Topics: Hardware, Linux, Microsoft, Open Source, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

461 comments
Log in or register to join the discussion
  • RE: Why do Linux fanatics want to make Windows 8 less secure?

    Linux is free, but the services for Linux is not free...<br>Why don't these hypocrites make Linux services free as well and serve mankind for a noble cause? <br><br>How do these free software advocates make a living ??? Living on benifits or goverment grant using tax payers money???
    owlnet
    • RE: Why do Linux fanatics want to make Windows 8 less secure?

      @owlnet

      They make a living working for places like IBM, Google, and HP.
      Michael Kelly
      • Master Joe Says...Wow

        @Michael Kelly Was that meant as a good thing? IBM's claim to fame recently was that their servers aren't 10x slower than Oracle's. They're only 6; this from IBM's own people. Google has tax issues at the moment, anti-privacy issues, and anti-trust issues, and even its own employees have begun to, allbeit accidentally, bash their products (Google+) in public, with some rather strong language. HP can't even find a fit CEO to run the company, kills off a product two months after launch, and now has an OS they spent a whole lot of money on with no means of turning a profit for them. Those sound like great places to work. If you're a consultant, IBM IS a great place to work. If you're a Linux developer, other than perhaps working with the RHEL team or with Cannonical, I'm just not seeing how you're better off than someone who is more intimately familiar with Windows, which, by the way, rules both the enterprise and consumer markets. Just my two cents on this.

        --Master Joe
        SteelCityPC
      • A long history of antitrust trials and Microsuck

        @Michael Kelly
        I could not help to feel a kind of deja vu, that this has happened before, and it has. Linux is a threat in spite of its minuscule user base but has a big presense among web servers.
        Add to this an insecure Microsoft, they know they would lose a lot of customers without using dirty tricks.
        ???Security??? is just an excuse. Did anyone really believe otherwise? When has MS Windows ever been anything else than totally perforated by malware?
        Mikael_z
      • RE: Why do Linux fanatics want to make Windows 8 less secure?

        To be perfectly honest, I see this as more a preemptive attack against possible 'regular home users' switching over to something like Ubuntu. Your average user won't know how to go into BIOS to disable UEFI - and if they see that installing Linux means doing 'some dern technical thingy', they'll just not do it.

        This is exactly what Ubuntu and other distributions are trying to avoid, making Linux look 'technical'. Even if EVERY OEM allows the user to disable it easily, but since they all want Windows 8 stickers they have it on by default... Microsoft has won.

        The 90% of people who COULD switch to Linux (people who don't play games, or run MS-only products - people who can live with Firefox instead of IE, LibreOffice instead of MS Office, etc.) will just not switch, because they don't know how/are too lazy to mess with their BIOS, usually accompanied by something about how 'technical' it is, and 'not for them'.
        Tynach
      • RE: Why do Linux fanatics want to make Windows 8 less secure?

        @Tynach
        So you're saying that adjusting BIOS settings scares potential Linux users of but installing a new OS won't? People that install Linux are 'expert' users or otherwise they will let an 'expert' friend do it for them. Really, adding an extra step inside the BIOS won't change anything.
        If I'd be a novice user I would be more scared to install a completely new OS other than Windows without wrecking my computer (and that's not a stupid assumption when you're a novice) then to adjust one tiny setting.

        And btw, you're talking about an EUFI option inside the BIOS but actually the BIOS will be totally replaced by EUFI. So it's an option inside EUFI. Just so you know :-)
        belli_bettens
      • RE: Why do Linux fanatics want to make Windows 8 less secure?

        @Tynach
        The average home user will never move to any version of Linux unless a major marketer of PCs and laptops promotes the platform. That is never going to happen. Hand held devices don't count.
        notme403
      • RE: Why do Linux fanatics want to make Windows 8 less secure?

        @Tynach, if you think toggling a SecureBoot setting is going to be a roadblock to running Ubuntu, you're ignoring what it already takes to install and run Ubuntu. It's trivial.

        There is nothing preventing Ubuntu's developers from updating it to be SecureBoot compliant.
        Lester Young
    • RE: Why do Linux fanatics want to make Windows 8 less secure?

      @owlnet
      It's not about free; it's about choice. I agree it's early to attack Win 8. They might still force OEMs to have a toggle off option.

      Likewise, it's took early for the Windows fanatics to be defending Win 8 too. Microsoft may allow OEMs to turn the PC market into one like the smartphone where you are expected to only run what it comes with.
      anono
      • It's not up to Microsoft

        @anono

        So stop trying to pin the blame on them. It is up to the OEM. Pure and simple. I know you'd really like to find something wrong with Microsoft on this but it's a fantastic feature. Anything that prevents rootkits is a fantastic feature.

        Some OEMs will allow you to disable it, others won't. But it has nothing to do with Microsoft.
        LiquidLearner
      • Now That's Not Correct Either

        @LiquidLearner

        Considering the requirement to have this enabled by default in order to get Windows 8 certification, it's rather a stretch to say, "It has nothing to do with Microsoft." Microsoft isn't forcing manufacturers not to make the option to turn it off available, but they do have a lot to do with the feature being implemented in the first place. Just leave it at, "Microsoft isn't making the final decision."
        CFWhitman
      • RE: Why do Linux fanatics want to make Windows 8 less secure?

        @liquidlearner<br><br>Sorry, but history has shown that OEM's do whatever Microsoft tells them to. If they don't, then Microsoft just increases the price the OEM's are charged until they are out of business. Everyone in the OEM business knows that too. That's what really happened to the Linux based 'Netbooks'. There, it wasn't the Netbook market, it was the Desktop and Laptop markets that really frightened the OEMs. The only holdouts are Apple and a few Linux resellers.<br><br>In servers it doesn't matter as much because Microsoft isn't capable or running a big server. Anything over 64 processors just doesn't do Windows well at all.<br><br>Microsoft has been convicted twice in the US of using these tactics, and also convicted twice in Europe. More times than that in Asia. It's old news. It also hasn't changed.<br><br>The fear in Linux is real, and based on experience. Saying 'Oh Shucks' which is all Mr. Bott has really done does nothing to allay the suspicion.<br><br>The last time Microsoft tried this, around 12 years ago, your computer wouldn't run if you replaced any of the cards in the system. <br><br>Yes, the Linux people are concerned, but the Windows people who maintain systems should be terrified. Just think, if you add any memory, you will need to buy an new Windows license.

        Now do you understand?
        YetAnotherBob
      • RE: Why do Linux fanatics want to make Windows 8 less secure?

        @anono What? Have you not read that its a simple matter of making a selection in the BIOS to turn off IUFI. Give it a rest. By default a computer should be more secure. If you want to reduce that security to run another OS, than you do it at your own risk.
        groberts116
    • ScorpioBlue, making this out to be Microsoft's problem again.

      @ScorpioBlue
      I see it is business as usual for you, just like before under your earlier screen names.

      Do you not get tired of the endless FUD campaign that you have waged since the begining? I know many of us here have tired of your endless FUD campaign.

      I imagine you have a vested interest in having Windows released without it being as secured as it could be.
      :|
      Tim Cook
      • No, I don't get tired of battling a monopoly

        A monopoly that lied, cheated and stole it's way to the top. A monopoly that's as unavoidable today as cell phones.<br><br>Better get used to it, faux pointy ears.
        ScorpioBlue
      • RE: Why do Linux fanatics want to make Windows 8 less secure?

        @Mister Spock - he was an abused child... and he's just jealous or we wouldn't have to "listen" to him.
        ItsTheBottomLine
      • RE: Why do Linux fanatics want to make Windows 8 less secure?

        @Mister Spock
        +1
        :)
        William Farrell
      • @ItsTheBottomLine should know

        <b>He's</b> the one who should know... ;)
        ScorpioBlue
    • RE: Why do Linux fanatics want to make Windows 8 less secure?

      @owlnet

      1. Free Software is a matter of liberty, not price.
      2. Business demand paid support; for accountability.
      3. I, and 1000's like me, provide free support for individuals.
      asmoore82
      • So go to a communist country, why live in US?

        @asmoore82

        So go to a communist country, why live in US?
        BestUS