Discussion:
Win 8 OEM computers will end dual booting with Linux?
(too old to reply)
Postman Delivers
2011-10-01 18:41:03 UTC
Permalink
Windows 8 secure boot to block Linux
http://www.zdnet.com.au/windows-8-secure-boot-to-block-linux-339322781.htm

or short URL
http://preview.tinyurl.com/6d4bdcw

The way I read it is that the hardware chip that now contains the BIOS
becomes (or contains) the UEFI. That hardware chip (firmware, if you
like) just won't allow the machine to boot from ANY medium that does not
contain an OS that is "approved".

1. the GPL Licensing issue comes into play. the hardware keys will NOT be
publicly available as the OEMs would not be able to distribute them
freely..in fact, other then the manufacturer, no one will be able to
obtain the hardware key, especially the consumer models. that being said,
because of the closed source nature of these keys, the Kernel (GPLv2) the
kernel developers will not include it as it would be considered
"Tainting" the kernel. & GPLv3 forbids the use of this method.

2.the OEM would most likely be using a software program provided by
Microsoft to generate the hardware keys as the OS is imaged on the
Harddrive.

My question: Will all OEMs provide a switch to turn off the win8 only
kernal firmware signing, so the consumer can load the Operating system of
their choice, Linux, Hackentosh, O/S2 Warp, WinXP, etc.? Will dual boot
with win8 be allowed, as some employers currently require employees to
use Microsoft Operating System?

I currently have 3 clients that must have Silverlight and IE.8 in their
dual booted Microsoft operating systems to access their work schedules
and weekly assignments. When they upgrade to win8 dual boot/vid appears
this is going to be difficult to overcome as I read more. The Silverlight
security now fails quite often with I.E. 8, and the employs must call the
employer for guidance (many times employer hasn't a clue) so they provide
the information by voice defeating the security of Silverlight
implementation.

**

Microsoft tell the public this is for security reasons, I think it is to
prevent other operating systems from being installed on hardware by the
average user looking for a more secure O/S.

With all MS security hacks that take years to develop, a 14yr old script
kiddy will come along and hack it in a day.

What is everyone's take on this new nonsense?

JR the postman
Aragorn
2011-10-01 19:14:18 UTC
Permalink
On Saturday 01 October 2011 20:41 in alt.comp.linux, somebody
identifying as Postman Delivers wrote...
Post by Postman Delivers
Windows 8 secure boot to block Linux
http://www.zdnet.com.au/windows-8-secure-boot-to-block-linux-339322781.htm
Post by Postman Delivers
or short URL
http://preview.tinyurl.com/6d4bdcw
Yes... This issue was first brought to my attention by way of the
Gentoo developer mailinglists, which are moderated and read-only on
Usenet, but nevertheless readable from a newsreader if your newsfeed
carries them. (news.eternal-september does.)

It was then also mentioned in a local GNU/Linux-related newsgroup - I
reside in Belgium - and I have brought this to the attention of two
other, distro-specific newsgroups. The news now appears to be
spreading fast, and I think that's a good thing. I therefore
appreciate that you've brought this up in this group as well. ;-)
Post by Postman Delivers
The way I read it is that the hardware chip that now contains the BIOS
becomes (or contains) the UEFI.
Something like that, yes. As a word of background explanation, the
legacy BIOS ("basic input/output system") chips currently used on x86
machines is archaic and runs back to the days of the IBM AT. Actually,
it is even older, but before the AT, the BIOS didn't have a set-up
utility that could be fired up from within the POST ("power-on self
test") routine of the machine, and that could either not be modified or
required a special DOS utility from the machine's manufacturer that was
supplied on a floppy disk.

It is one of the reasons - not the only reason, but one of the reasons -
that the x86 architecture must boot up in so-called real mode, which is
an i8086/i8088-compatible 16-bit mode, without privilege separation in
hardware via privilege rings (as is the case in protected mode and long
mode), and without paged memory, and an upper memory limit of 1 MiB
only, of which the top 384 KiB are used by the BIOS for I/O operations.

RISC machines (and some non-x86 CISC platform like Itanium) never had
a "real mode", and use a different type of firmware, commonly referred
to as an EFI ("extensible firmware interface"). Intel has developed a
UEFI ("unified extensible firmware interface") that is usable not just
on Itanium, but also on x86 - Intel-based MacIntosh machines have a
UEFI.

UEFI does offer a number of advantages with regard to BIOS, such as the
fact that UEFI runs in the processor's protected mode, and by
consequence, so will the bootloader, which on an UEFI system is a
firmware extension. A second advantage for instance is that UEFI
machines support GUID partition tables, allowing up to 128 partitions
per physical hard disk.

UEFI-like firmware replacements for BIOS have already been developed by
(among others) the FLOSS community - e.g. CoreBoot, formerly known as
LinuxBIOS, which runs an actual Linux kernel in the firmware - and are
being used on several motherboards straight from the vendor. Tyan for
instance used to support CoreBoot, but has in the meantime withdrawn
its support for it.
Post by Postman Delivers
That hardware chip (firmware, if you like) just won't allow the
machine to boot from ANY medium that does not contain an OS that
is "approved".
This is not necessarily the case from the technical point of view, but
in this particular matter, considering that Microsoft is involved, and
considering that this is what Microsoft alludes to, you would be
correct.
Post by Postman Delivers
1. the GPL Licensing issue comes into play. the hardware keys will NOT
be publicly available as the OEMs would not be able to distribute them
freely..in fact, other then the manufacturer, no one will be able to
obtain the hardware key, especially the consumer models. that being
said, because of the closed source nature of these keys, the Kernel
(GPLv2) the kernel developers will not include it as it would be
considered "Tainting" the kernel. & GPLv3 forbids the use of this
method.
True.
Post by Postman Delivers
2.the OEM would most likely be using a software program provided by
Microsoft to generate the hardware keys as the OS is imaged on the
Harddrive.
Yes, that is their plan, obviously. This is, according to Microsoft,
the demand towards any OEM vendor that will sell computers with Windows
8 installed and has them carry the "Designed for Microsoft (r) Windows
(tm) 8" sticker.
Post by Postman Delivers
My question: Will all OEMs provide a switch to turn off the win8 only
kernal firmware signing, so the consumer can load the Operating system
of their choice, Linux, Hackentosh, O/S2 Warp, WinXP, etc.? Will dual
boot with win8 be allowed, as some employers currently require
employees to use Microsoft Operating System?
That's the big question, and I guess it'll remain to be seen. Microsoft
itself claims that they themselves have made no demands that the signed
key set-up may not be disabled by the vendor, but according to RedHat,
the chances are very real - considering that they are OEM machines that
come with Microsfot Windows 8 preinstalled - that a large number of OEM
vendors will indeed make it impossible to disable this "feature".

Everyone in this business knows that Microsoft is not exactly the most
truthful of corporations - I am trying to be curteous here ;-) - and
that they do make secret agreements with their OEM vendors, via a
little bribe here and a bit of armtwisting there. So I personally
think that the chances are very real that Microsoft will directly or
subliminally push OEM vendors towards the disabling of this feature,
similarly to how the OEM vendors have to pay much more for their bulk
acquisition of OEM Windows licenses if they also offer computers with
another operating system pre-installed than Microsoft Windows.

There will certainly be some coercion, yes. Count on it.
Post by Postman Delivers
I currently have 3 clients that must have Silverlight and IE.8 in
their dual booted Microsoft operating systems to access their work
schedules and weekly assignments. When they upgrade to win8 dual
boot/vid appears this is going to be difficult to overcome as I read
more.
Hmm... No, when you buy a Microsoft Windows license for a particular
machine, then that is a different thing from buying a computer that
comes pre-installed with Microsoft Windows. Microsoft will certainly
not abandon the people who are already using some version of Windows on
an existing machine and wish to upgrade to Windows 8 - not out of the
kindness of their hearts of course, but out of purely economic reasons.
Post by Postman Delivers
The Silverlight security now fails quite often with I.E. 8, and
the employs must call the employer for guidance (many times employer
hasn't a clue) so they provide the information by voice defeating the
security of Silverlight implementation.
I don't know about that. I don't use Microsoft Windows or any Microsoft
technology. I'm a UNIX guy. ;-)
Post by Postman Delivers
**
Microsoft tell the public this is for security reasons, I think it is
to prevent other operating systems from being installed on hardware by
the average user looking for a more secure O/S.
Oh absolutely! That's what this whole thing is about. It's Yet Another
Anti-Competitive Move (tm) from Microsoft.
Post by Postman Delivers
With all MS security hacks that take years to develop, a 14yr old
script kiddy will come along and hack it in a day.
What is everyone's take on this new nonsense?
That it is an abomination, and that we're eagerly looking forward to the
start of the next antitrust investigation or class action
litigation. ;-)
--
Aragorn
(registered GNU/Linux user #223157)
y***@gmx.net
2011-10-02 21:32:54 UTC
Permalink
On Sat, 01 Oct 2011 21:14:18 +0200, Aragorn
<***@telenet.be.invalid> wrote:

I don't think that Windows8 will change in how you can use a PC, but
it certainly will change the Bios.
So far i am divided, but i think a change could be a good thing.
It may really provide a more secure option. So far, you can break in
pretty much any system if you sit in front of a pc. If you can remove
the battery you can reset the bios and thus lets you boot with
whatever you want.
Not sure if the new technology will change that actually.
I do use both systems but tend to regard Linux as the better option.
But that doesn't change the problem for the masses. Nerds will always
find a way to run dual, but how will the masses do it.
Unless the masses will abandon the pc and move to the portable units.
Aragorn
2011-10-02 23:27:44 UTC
Permalink
On Sunday 02 October 2011 23:32 in alt.comp.linux, somebody identifying
Post by y***@gmx.net
I don't think that Windows8 will change in how you can use a PC, but
it certainly will change the Bios.
No, Windows 8 in itself will not change the firmware. Microsoft still
has to leave room for people who own a machine with a traditional
legacy BIOS and who wish to upgrade to Windows 8. They cannot afford
to ignore those customers.

However, the OEM brandname home and office PCs that come pre-installed
with Microsoft Windows will require there to be the proposed UEFI with
the signed bootsector thing in order for Microsoft to sanction the OEM
manufacturers with the use of "Designed for Windows 8" stickers. This
is Microsoft's official statement on the matter, but also their only
statement so far. Like I said, they can't afford to ignore the other
customers.
Post by y***@gmx.net
So far i am divided, but i think a change could be a good thing.
UEFI does have certain technical advantages over a legacy BIOS, but not
everything supports it yet - think of the Xen bare metal hypervisor,
for instance - and progress should not come at the cost of
anticompetitive measures, which is what this technology is now being
abused for.
Post by y***@gmx.net
It may really provide a more secure option.
That depends on what it is that is being "secured". ;-)
Post by y***@gmx.net
So far, you can break in pretty much any system if you sit in front of
a pc. If you can remove the battery you can reset the bios and thus
lets you boot with whatever you want.
Not sure if the new technology will change that actually.
No, that will remain the same. If you have access to the physical
hardware, then you /pwn/ the machine. The main difference between the
legacy BIOS and UEFI is that UEFI runs in protected mode, like a
miniature operating system, and is more extended and extensible.
Post by y***@gmx.net
I do use both systems but tend to regard Linux as the better option.
But that doesn't change the problem for the masses. Nerds will always
find a way to run dual, but how will the masses do it.
Unless the masses will abandon the pc and move to the portable units.
One possible way would be to flash such a machine's UEFI firmware with
something like CoreBoot, which is an UEFI-like BIOS replacement that
pretty much works the same way, except that it's an Open Source
firmware based on a Linux kernel. So it will definitely not disallow
installing GNU/Linux on the machine.

However, doing that on an OEM machine will most likely void the
manufacturer's warranty, and not too many people would be so
adventurous as to flash the UEFI themselves.

I don't have all the answers. I guess we'll just have to see what
gives, and whether any antitrust committees will put this newest
anticompetitive maneuver under their microscope. Personally, I am
hoping that they do. If nothing else, then at the very least it will
buy the FLOSS community some time to counter the threat to our freedom.
--
Aragorn
(registered GNU/Linux user #223157)
atec77
2011-10-03 00:58:01 UTC
Permalink
Post by Aragorn
On Sunday 02 October 2011 23:32 in alt.comp.linux, somebody identifying
Post by y***@gmx.net
I don't think that Windows8 will change in how you can use a PC, but
it certainly will change the Bios.
No, Windows 8 in itself will not change the firmware. Microsoft still
has to leave room for people who own a machine with a traditional
legacy BIOS and who wish to upgrade to Windows 8. They cannot afford
to ignore those customers.
However, the OEM brandname home and office PCs that come pre-installed
with Microsoft Windows will require there to be the proposed UEFI with
the signed bootsector thing in order for Microsoft to sanction the OEM
manufacturers with the use of "Designed for Windows 8" stickers. This
is Microsoft's official statement on the matter, but also their only
statement so far. Like I said, they can't afford to ignore the other
customers.
Post by y***@gmx.net
So far i am divided, but i think a change could be a good thing.
UEFI does have certain technical advantages over a legacy BIOS, but not
everything supports it yet - think of the Xen bare metal hypervisor,
for instance - and progress should not come at the cost of
anticompetitive measures, which is what this technology is now being
abused for.
Post by y***@gmx.net
It may really provide a more secure option.
That depends on what it is that is being "secured". ;-)
Post by y***@gmx.net
So far, you can break in pretty much any system if you sit in front of
a pc. If you can remove the battery you can reset the bios and thus
lets you boot with whatever you want.
Not sure if the new technology will change that actually.
No, that will remain the same. If you have access to the physical
hardware, then you /pwn/ the machine. The main difference between the
legacy BIOS and UEFI is that UEFI runs in protected mode, like a
miniature operating system, and is more extended and extensible.
Post by y***@gmx.net
I do use both systems but tend to regard Linux as the better option.
But that doesn't change the problem for the masses. Nerds will always
find a way to run dual, but how will the masses do it.
Unless the masses will abandon the pc and move to the portable units.
One possible way would be to flash such a machine's UEFI firmware with
something like CoreBoot, which is an UEFI-like BIOS replacement that
pretty much works the same way, except that it's an Open Source
firmware based on a Linux kernel. So it will definitely not disallow
installing GNU/Linux on the machine.
However, doing that on an OEM machine will most likely void the
manufacturer's warranty, and not too many people would be so
adventurous as to flash the UEFI themselves.
I don't have all the answers. I guess we'll just have to see what
gives, and whether any antitrust committees will put this newest
anticompetitive maneuver under their microscope. Personally, I am
hoping that they do. If nothing else, then at the very least it will
buy the FLOSS community some time to counter the threat to our freedom.
I expect a re-flash by a malicious individual will be all to easy within
days of the proposed release , as you know some machines currently use
the o/s to install bios updates and extending that idea to a utility
wont take long , certainly if and individual wants to multi boot a drive
swap will easily enable that if not a future utility , I use winblows in
a virtual machine as do many others which for me is no problem and any
attempt to make my do it any other way is no concern as the decision to
drop the o/s wont take much pressure
Typically the suggestion is short sighted and will fail
--
X-No-Archive: Yes
y***@gmx.net
2011-10-04 00:18:15 UTC
Permalink
On Mon, 03 Oct 2011 01:27:44 +0200, Aragorn
Post by Aragorn
On Sunday 02 October 2011 23:32 in alt.comp.linux, somebody identifying
Post by y***@gmx.net
I don't think that Windows8 will change in how you can use a PC, but
it certainly will change the Bios.
No, Windows 8 in itself will not change the firmware. Microsoft still
has to leave room for people who own a machine with a traditional
legacy BIOS and who wish to upgrade to Windows 8. They cannot afford
to ignore those customers.
True, so i asume it will be an option as far as retail goes.
Post by Aragorn
However, the OEM brandname home and office PCs that come pre-installed
with Microsoft Windows will require there to be the proposed UEFI with
the signed bootsector thing in order for Microsoft to sanction the OEM
manufacturers with the use of "Designed for Windows 8" stickers. This
is Microsoft's official statement on the matter, but also their only
statement so far. Like I said, they can't afford to ignore the other
customers.
That brings me to another point. If a user would buy an OEM version of
W8 will it be still an option or will he be required to purchase
conform hardware.
I know you don't use Windows but that came to my mind. Right now i do
own a OEM version and its already limited to the hardware one uses. It
will change perhaps how one build the pc of choice.
In the end, as a Linux User you still can buy a Linux powered pc. At
least i think you can. How much control does MS really have over the
OEM market as a whole?
Post by Aragorn
Post by y***@gmx.net
So far i am divided, but i think a change could be a good thing.
UEFI does have certain technical advantages over a legacy BIOS, but not
everything supports it yet - think of the Xen bare metal hypervisor,
for instance - and progress should not come at the cost of
anticompetitive measures, which is what this technology is now being
abused for.
Yes i am aware of that. I am currently debating with myself which
empire is more evil. The Gates empire or the Jobs empire. Tricky
question really.
Normally i welcome change but it is uncertain in whoms advantage it
will go.
It appears that MS views any pc as their pc and therefore can act
unilaterly on imposing rules.
For some reason i fell that Linux will have a harder stands.
Post by Aragorn
Post by y***@gmx.net
It may really provide a more secure option.
That depends on what it is that is being "secured". ;-)
Thats was an assumption. I have no proof of that :) It would be
desirable to have a secure box that you can not 'hack' but my guess is
that UEFI will not provide that what i am thinking off.
Post by Aragorn
Post by y***@gmx.net
So far, you can break in pretty much any system if you sit in front of
a pc. If you can remove the battery you can reset the bios and thus
lets you boot with whatever you want.
Not sure if the new technology will change that actually.
No, that will remain the same. If you have access to the physical
hardware, then you /pwn/ the machine. The main difference between the
legacy BIOS and UEFI is that UEFI runs in protected mode, like a
miniature operating system, and is more extended and extensible.
I have to read into it since UEFI has some other implactions that seem
not entirely about security in the sense i am thinking off.
Post by Aragorn
Post by y***@gmx.net
I do use both systems but tend to regard Linux as the better option.
But that doesn't change the problem for the masses. Nerds will always
find a way to run dual, but how will the masses do it.
Unless the masses will abandon the pc and move to the portable units.
One possible way would be to flash such a machine's UEFI firmware with
something like CoreBoot, which is an UEFI-like BIOS replacement that
pretty much works the same way, except that it's an Open Source
firmware based on a Linux kernel. So it will definitely not disallow
installing GNU/Linux on the machine.
However, doing that on an OEM machine will most likely void the
manufacturer's warranty, and not too many people would be so
adventurous as to flash the UEFI themselves.
True, if you own an OEM pc you out of luck. No linux for you.
Or any other OS for that matter. Doesn't Apple has a policy that voids
their warranty if you install any other OS?
We are in the grib of two empires. How will it be in 10 years?
Post by Aragorn
I don't have all the answers. I guess we'll just have to see what
gives, and whether any antitrust committees will put this newest
anticompetitive maneuver under their microscope. Personally, I am
hoping that they do. If nothing else, then at the very least it will
buy the FLOSS community some time to counter the threat to our freedom.
Would be interesting to see who eventually will push a case against
MS. I haven't read anything about the reaction from OEM like IBM or
any other manufacture that sells linux pc/servers.
Aragorn
2011-10-04 01:09:32 UTC
Permalink
On Tuesday 04 October 2011 02:18 in alt.comp.linux, somebody identifying
Post by y***@gmx.net
On Mon, 03 Oct 2011 01:27:44 +0200, Aragorn
Post by Aragorn
However, the OEM brandname home and office PCs that come
pre-installed with Microsoft Windows will require there to be the
proposed UEFI with the signed bootsector thing in order for Microsoft
to sanction the OEM manufacturers with the use of "Designed for
Windows 8" stickers. This is Microsoft's official statement on the
matter, but also their only statement so far. Like I said, they
can't afford to ignore the other customers.
That brings me to another point. If a user would buy an OEM version of
W8 will it be still an option or will he be required to purchase
conform hardware.
Well, I presume that they would still be offering versions of Windows 8
for non-UEFI machines. They'd be shooting themselves in the foot if
they were to insist on UEFI for those machines as well, because not
everyone might be willing to conform to that demand.

I don't know really. With Microsoft, everything's possible, as long as
it's treacherous enough.
Post by y***@gmx.net
I know you don't use Windows but that came to my mind. Right now i do
own a OEM version and its already limited to the hardware one uses. It
will change perhaps how one build the pc of choice.
In the end, as a Linux User you still can buy a Linux powered pc. At
least i think you can. How much control does MS really have over the
OEM market as a whole?
Their control here rests mainly with the brandname PCs. They have only
limited control over independent component vendors.
Post by y***@gmx.net
Post by Aragorn
UEFI does have certain technical advantages over a legacy BIOS, but
not everything supports it yet - think of the Xen bare metal
hypervisor, for instance - and progress should not come at the cost
of anticompetitive measures, which is what this technology is now
being abused for.
Yes i am aware of that. I am currently debating with myself which
empire is more evil. The Gates empire or the Jobs empire.
Definitely the former. Apple isn't trying to be a monopolist. They
view their own hardware as being artistic creations, and they appeal
to "the elite" feeling.

This "elite feeling" is the strongest in the USA and possibly Canada.
In the rest of the world, Apple is mainly used - at least, when we're
talking of the computers - by people who are into specific branches of
work, like desktop publishing or the music/multimedia industry. By
contrast, in the USA and Canada, owning an Apple computer makes
you "special".

Microsoft is an entirely different beast. They don't supply any
computer hardware of their own making, and so they're trying to
dominate the entire x86 market. They do offer Windows for other
platforms as well - again, speaking of computers, not of smartphones
and tablets and such - but they've never been able to compete with
what's natively supplied on such other hardware - think PPC, think
Alpha, think MIPS - because those are all UNIX operating systems, and
UNIX is vastly superior to anything Microsoft can ever come up with.

The x86 market however is an open market. x86 has always been an open
platform - which is why Intel devised the IA64 (Itanium) architecture
as a closed architecture again, as Intel too is a monopolist - and
historically, Microsoft has always had somewhat of a stronghold on that
market ever since the time of DOS.

They even deliberately sabotaged Windows 3.x in such a way that it would
(deliberately) crash if the underlying DOS versions happened to be
DR-DOS instead of MS-DOS or IBM PC-DOS. Windows would simply do a
version check on the underlying DOS and would, if it wasn't
an "approved" DOS version, start a timer with random value, which upon
its expiry would then hang the computer.
Post by y***@gmx.net
Tricky question really. Normally i welcome change but it is uncertain
in whoms advantage it will go. It appears that MS views any pc as
their pc and therefore can act unilaterly on imposing rules.
That is their philosophy, yes. They consider themselves to be the sole
rulers of the x86 market and they tolerate no competition. Even not
when said competition was never even intended as competition, as in the
case of GNU/Linux.

GNU/Linux was developed as an alternative to proprietary UNIX. Windows
was completely irrelevant in that picture. But Microsoft wants to
eradicate it nevertheless, because GNU/Linux is Free & Open Source
Software, and it's that which is the thorn in Microsoft's eye. They
don't want you to be free. They want to be able to dictate what you
can and cannot do with your own machine. You have to be their slave.
Post by y***@gmx.net
For some reason i fell that Linux will have a harder stands.
Oh, they're not going to destroy GNU/Linux. There's not a chance in the
world that they can get away with that. Nobody owns GNU/Linux. It's
Free Software. It's a people's movement, not a corporate initiative.

Besides, everybody who's a professional in IT - and I do mean a real
professional, not an MCSE - knows that UNIX is a far more reliable, far
more powerful and far more mature operating system than Windows will
ever be. Most of the world's supercomputers run GNU/Linux. IBM
mainframes can run GNU/Linux, and on the bare metal, not emulated.

GNU/Linux is everywhere. That's what makes Microsoft so rabid.
Post by y***@gmx.net
Post by Aragorn
Post by y***@gmx.net
It may really provide a more secure option.
That depends on what it is that is being "secured". ;-)
Thats was an assumption. I have no proof of that :) It would be
desirable to have a secure box that you can not 'hack' but my guess is
that UEFI will not provide that what i am thinking off.
UEFI was not developed specifically with security in mind. It's just a
more modern BIOS replacement. It has advantages, but the alleged
security thing is only Microsoft and Intel's "conspiracy" to re-enforce
their monopoly.
Post by y***@gmx.net
Post by Aragorn
Post by y***@gmx.net
So far, you can break in pretty much any system if you sit in front
of a pc. If you can remove the battery you can reset the bios and
thus lets you boot with whatever you want.
Not sure if the new technology will change that actually.
No, that will remain the same. If you have access to the physical
hardware, then you /pwn/ the machine. The main difference between
the legacy BIOS and UEFI is that UEFI runs in protected mode, like a
miniature operating system, and is more extended and extensible.
I have to read into it since UEFI has some other implactions that seem
not entirely about security in the sense i am thinking off.
No, UEFI was not designed for security. It was designed to offer better
integration between hardware and software, functionalitywise. The
security thing is a scam.

You can take a kitchen knife and turn it into a weapon. That's what
Microsoft and Intel have now done with UEFI.
Post by y***@gmx.net
Post by Aragorn
Post by y***@gmx.net
I do use both systems but tend to regard Linux as the better option.
But that doesn't change the problem for the masses. Nerds will
always find a way to run dual, but how will the masses do it.
Unless the masses will abandon the pc and move to the portable units.
One possible way would be to flash such a machine's UEFI firmware
with something like CoreBoot, which is an UEFI-like BIOS replacement
that pretty much works the same way, except that it's an Open Source
firmware based on a Linux kernel. So it will definitely not disallow
installing GNU/Linux on the machine.
However, doing that on an OEM machine will most likely void the
manufacturer's warranty, and not too many people would be so
adventurous as to flash the UEFI themselves.
True, if you own an OEM pc you out of luck. No linux for you.
Or any other OS for that matter.
That's why I never buy OEM PCs. ;-)
Post by y***@gmx.net
Doesn't Apple has a policy that voids their warranty if you install
any other OS?
I'm not sure. At first, BootCamp - which allows you to install
Microsoft Windows (or another operating system) on an Intel-based
MacIntosh - was considered a hack, but if my information is correct
then Apple are now even officially supporting BootCamp.

The other way around, i.e. installing OSX on a non-MacIntosh computer -
i.e. the so-called HackIntosh - is illegal, though.
Post by y***@gmx.net
We are in the grib of two empires. How will it be in 10 years?
Ten years? I don't even think that far ahead anymore. ;-) For all I
know, homo sapiens could easily blow up Planet Earth before those ten
years are up. ;-)

Okay, maybe that's a little far-fetched, but the total arsenal of
nuclear weapons currently stored (and still being developed) in the
world is enough to blow the entire planet to smithereens more than 7
times, or annihilate everything on the face of the planet 28 times.

Furthermore, earth is obviously undergoing some changes at the
geological and climatological level; so is the sun, and that's part of
why things are changing here on earth in terms of climate. (Man-made
global warming is a political scam, but I guess you knew that. ;-))

So who knows what will be, ten years from now? I have no idea,
really. ;-)
Post by y***@gmx.net
Post by Aragorn
I don't have all the answers. I guess we'll just have to see what
gives, and whether any antitrust committees will put this newest
anticompetitive maneuver under their microscope. Personally, I am
hoping that they do. If nothing else, then at the very least it will
buy the FLOSS community some time to counter the threat to our freedom.
Would be interesting to see who eventually will push a case against
MS. I haven't read anything about the reaction from OEM like IBM or
any other manufacture that sells linux pc/servers.
No, I suspect that if such a litigation is started, then it will most
likely come from a government, and I'm betting that Neelie Kroes, the
European Commissioner on Fair Competition, isn't going to like
Microsoft's newest monopolist tactic too much.

Arrogance always comes before the fall. And Microsoft seems incapable
of being anything other than arrogant, even though they've already
taken the fall several times.

I for one am eager to see them hit the dirt soon again. ;-)
--
Aragorn
(registered GNU/Linux user #223157)
y***@gmx.net
2011-10-05 01:35:52 UTC
Permalink
On Tue, 04 Oct 2011 03:09:32 +0200, Aragorn
Post by Aragorn
On Tuesday 04 October 2011 02:18 in alt.comp.linux, somebody identifying
Post by y***@gmx.net
On Mon, 03 Oct 2011 01:27:44 +0200, Aragorn
Post by Aragorn
However, the OEM brandname home and office PCs that come
pre-installed with Microsoft Windows will require there to be the
proposed UEFI with the signed bootsector thing in order for Microsoft
to sanction the OEM manufacturers with the use of "Designed for
Windows 8" stickers. This is Microsoft's official statement on the
matter, but also their only statement so far. Like I said, they
can't afford to ignore the other customers.
That brings me to another point. If a user would buy an OEM version of
W8 will it be still an option or will he be required to purchase
conform hardware.
Well, I presume that they would still be offering versions of Windows 8
for non-UEFI machines. They'd be shooting themselves in the foot if
they were to insist on UEFI for those machines as well, because not
everyone might be willing to conform to that demand.
I think i was thinking about OEM as not a consumer choice but rather a
business one. So from that view, the could perhaps enforce a more
stricter form of compliance.

After reading about UEFI i see it with more detail. Yes, security is
not the main aim.
Although it may be a good thing. Apple seems to use it already with
their intel based models.
But i think it was EFI and UEFI.
Post by Aragorn
Post by y***@gmx.net
Post by Aragorn
UEFI does have certain technical advantages over a legacy BIOS, but
not everything supports it yet - think of the Xen bare metal
hypervisor, for instance - and progress should not come at the cost
of anticompetitive measures, which is what this technology is now
being abused for.
Yes i am aware of that. I am currently debating with myself which
empire is more evil. The Gates empire or the Jobs empire.
Definitely the former. Apple isn't trying to be a monopolist. They
view their own hardware as being artistic creations, and they appeal
to "the elite" feeling.
Gee, i would like to be elite and looking down onto the poor people
using a pc. :)
Apple is indeed more mainstream here in the US. You don't have to be
designer to use one. Not anymore.
If i had money, perhaps i would own an Apple. But then you have the
money issue. Elite for you.
Post by Aragorn
They even deliberately sabotaged Windows 3.x in such a way that it would
(deliberately) crash if the underlying DOS versions happened to be
DR-DOS instead of MS-DOS or IBM PC-DOS. Windows would simply do a
version check on the underlying DOS and would, if it wasn't
an "approved" DOS version, start a timer with random value, which upon
its expiry would then hang the computer.
I remember that. Earlier i used a DR-DOS computer and the DOS was
better than MS DOS. But you had also problem running games with
DR-DOS. So my suspicion was that even these developers might helped to
make MS-DOS THE choice.
Post by Aragorn
Post by y***@gmx.net
Tricky question really. Normally i welcome change but it is uncertain
in whoms advantage it will go. It appears that MS views any pc as
their pc and therefore can act unilaterly on imposing rules.
That is their philosophy, yes. They consider themselves to be the sole
rulers of the x86 market and they tolerate no competition. Even not
when said competition was never even intended as competition, as in the
case of GNU/Linux.
GNU/Linux was developed as an alternative to proprietary UNIX. Windows
was completely irrelevant in that picture. But Microsoft wants to
eradicate it nevertheless, because GNU/Linux is Free & Open Source
Software, and it's that which is the thorn in Microsoft's eye. They
don't want you to be free. They want to be able to dictate what you
can and cannot do with your own machine. You have to be their slave.
MS can not be happy to have any competition at all. Macs are somewhat
a competitor to them, but the shares are low so maybe not a big
concern.
More so the server side where Linux is dominand. Althought i read that
Windows made some progress too. But i am not really educated in
servers.
Post by Aragorn
Post by y***@gmx.net
For some reason i fell that Linux will have a harder stands.
Oh, they're not going to destroy GNU/Linux. There's not a chance in the
world that they can get away with that. Nobody owns GNU/Linux. It's
Free Software. It's a people's movement, not a corporate initiative.
Besides, everybody who's a professional in IT - and I do mean a real
professional, not an MCSE - knows that UNIX is a far more reliable, far
more powerful and far more mature operating system than Windows will
ever be. Most of the world's supercomputers run GNU/Linux. IBM
mainframes can run GNU/Linux, and on the bare metal, not emulated.
GNU/Linux is everywhere. That's what makes Microsoft so rabid.
Sometimes i think a more single strategy would benefit Linux in having
some form of standarts.
I find it sometimes quite a pain to find a software that i need. But
of course private people develop at their spare time and so there is
not nesseraly a continous progress on some software.
I am still attached to my Forte Agent as my newsclient as i was not
happy with what i have seen on Linux. Originally i thought on Linux
there must be more software for usenet, but it wasnt.
Linux did make as a system a giant leap in that it became more usable
for the average user. I know you may see it the other way, but i think
it is a good thing for Linux as it brings more attention to Linux.
But one thing i can not see the average dude doing when he comes home
to do something. Working in the shell/terminal.
Thats what made Windows the choice. Click, click... and with 7 it is
even more easier to use. Now they have even the graphicsdrivers
included.
But this is a perspective of a regular user and not an IT pro. There
is a difference.
Post by Aragorn
Microsoft's newest monopolist tactic too much.
Arrogance always comes before the fall. And Microsoft seems incapable
of being anything other than arrogant, even though they've already
taken the fall several times.
I for one am eager to see them hit the dirt soon again. ;-)
Maybe we will see this. Not sure... if i am still alive i will maybe
remember.
Or maybe Apple will take over the world.

The world will certainly be changed. I am sure of that. Nothing stays
the same. But i hope human kind will not destroy itself. But hey,
thats plausible. Isn't.

oh. btw. not related to this subject what parameters do you use on
your linux?
Aragorn
2011-10-05 06:57:09 UTC
Permalink
On Wednesday 05 October 2011 03:35 in alt.comp.linux, somebody
Post by y***@gmx.net
oh. btw. not related to this subject what parameters do you use on
your linux?
Hmm... What do you mean by parameters? I'm not sure I understand your
question... :-/
--
Aragorn
(registered GNU/Linux user #223157)
y***@gmx.net
2011-10-05 23:49:08 UTC
Permalink
On Wed, 05 Oct 2011 08:57:09 +0200, Aragorn
Post by Aragorn
On Wednesday 05 October 2011 03:35 in alt.comp.linux, somebody
Post by y***@gmx.net
oh. btw. not related to this subject what parameters do you use on
your linux?
Hmm... What do you mean by parameters? I'm not sure I understand your
question... :-/
You wrote a while ago what option/parameters you were setting on your
devices like /boot noread
etc...
I liked the idea to make it a little more secure, better than it is in
default.
Aragorn
2011-10-06 02:07:25 UTC
Permalink
On Thursday 06 October 2011 01:49 in alt.comp.linux, somebody
Post by y***@gmx.net
On Wed, 05 Oct 2011 08:57:09 +0200, Aragorn
Post by Aragorn
On Wednesday 05 October 2011 03:35 in alt.comp.linux, somebody
Post by y***@gmx.net
oh. btw. not related to this subject what parameters do you use on
your linux?
Hmm... What do you mean by parameters? I'm not sure I understand your
question... :-/
You wrote a while ago what option/parameters you were setting on your
devices like /boot noread
etc...
I liked the idea to make it a little more secure, better than it is in
default.
Ah, I understand now. ;-) Okay, here are some of the things I do - off
the top of my head, because it's already late over here now and my
memory isn't all to clear anymore. ;-)

° Partitioning and mount options pertaining to security:

FILESYSTEM SECURITY-RELATED OPTIONS NOTES
- /boot nouser,ro,nodev,nosuid only readable by root
- / nouser,defaults
- /usr nouser,ro,nodev
- /usr/local nouser,ro,nodev
- /opt nouser,ro,nodev
- /var nouser,rw,nodev
- /srv nouser,rw,nodev,noexec
- /home nouser,rw,nodev,nosuid
- /tmp nouser,rw,nodev,noexec [*] tmpfs

° PAM and other security settings:

- require root _login_ (via "/bin/su") for halt, reboot, hibernate
- use a umask of 0077 in "/etc/skel/.bashrc" (and thus in each user's
"~/.bashrc"

- disallow root logins over ssh in "/etc/ssh/sshd_config"

- only allow ssh logins to members of the wheel group

- disallow direct root logins at the console by commenting out all
entries in "/etc/securetty"
(note: does not affect runlevel 1)

- disallow the use of "/bin/su" to everyone who's not in the wheel
group
(note: some distributions do this out of the box)

- add...

~~:S:wait:/sbin/sulogin

... to the bottom of "/etc/inittab" to require the use of the root
user's password before entering runlevel 1 maintenance mode

- remove SUID bit on "/bin/mount" and "/bin/umount"
(note: this will probably disable automounting of removable media)

- if you build your own kernel, allow some data structures in "/proc"
to be marked read-only

- do not use runlevel 5, alias "a display manager"/"graphical login
screen", but use...

startx

...instead from a character mode login console
(note: that's one less process running with root privileges)

- "sabotage" the shutdown and reboot options offered in KDE through
both the KDE logout window and the KDE display manager by blanking
out the names of the executables it calls upon
(note: KDE does not call the PAM-controlled "/usr/bin/halt" and
"/usr/bin/reboot" but directly calls "/sbin/halt" and
"/sbin/reboot", which suggests that KDE uses policykit to elevate
privileges for anyone sitting at the local console)

- use the superuser settings of the KDE login manager to disable
reboot, halt and hibernate to everyone, both remote and local
(note: this is needed because the command to hibernate is not
listed anywhere in the KDE settings so you cannot "sabotage" it
through blanking out the name of the executable)

- make sure that the output of syslogd is shown on the
non-interactive console vc/12

- make sure X forwarding is disabled to all machines except for
the local LAN, or disable it altogether if you don't use it

° Optional:

- install rkhunter (and have it run from a cron job)
- install an intrusion detection system such as aide, snort et al
- do not use xinetd or inetd; manually select what services to run
- if you're really paranoid, set the immutable flag on all executables
in "/bin" and "/sbin" (and on the directories themselves), and on
everything below "/lib", and certain crucial files in "/etc"
(note: this is going to be a pain in the butt when installing
updates ;-) -- see the man page for "chattr" for details)
- install Brute Force Defender and Adaptive Firewall; they will
automatically add a rule to iptables for any IP address from where
three successive failed login attempts come within a certain timeout
and they will also insert a delay between failed ssh login attempts

These are just some of the things I do, and some of the optional things
that can be done, off the top of my head. I'm sure I'm overlooking a
few things, but it's already 04h00 in the morning over here and I've
been up all night, so... ;-)


[*] Setting the "noexec" mount option on "/tmp" /may/ cause problems
when trying to install certain software packages. In that case,
simply remount "/tmp" with "exec" enabled for the time being, and
then remount it again with "noexec" after you're done. This /may/
require that you drop to runlevel 1 first in order to remount
"/tmp". My PCLinuxOS 2009.2 doesn't require it, but my Mageia 1
installation does.
--
Aragorn
(registered GNU/Linux user #223157)
y***@gmx.net
2011-10-08 17:14:47 UTC
Permalink
On Thu, 06 Oct 2011 04:07:25 +0200, Aragorn
<***@telenet.be.invalid> wrote:

That is already good.. maybe not everything i can do, or not certain
about it. But its a good strategy.

Thank for that. And considering that late in the morning :)
David Mändlen
2011-10-08 17:30:36 UTC
Permalink
Hi,

maybe this helps, too:

http://www.cromwell-intl.com/security/linux-hardening.html
y***@gmx.net
2011-10-09 05:27:16 UTC
Permalink
On Sat, 8 Oct 2011 19:30:36 +0200, David Mändlen
Post by David Mändlen
Hi,
http://www.cromwell-intl.com/security/linux-hardening.html
Good tip. have to study that in the mean time.
MotoFox
2011-10-09 04:56:19 UTC
Permalink
Post by Aragorn
Post by Postman Delivers
What is everyone's take on this new nonsense?
That it is an abomination, and that we're eagerly looking forward to
the start of the next antitrust investigation or class action
litigation.
Yup, that's basically a class-action $uit waiting to happen. Ugh.
--
MotoFox
Originator of the word "enubulous"

I just tell everybody to run Linux, myself.

Apple's "users are idiots and are confused by functionality" approach
is a disease. If you design your OS for idiots, only idiots will use
it. I don't use a Macintosh, because in striving to be so simple, they
simply can't do what I need them to do.

Please, just tell everybody to go to Linux.
Mëa Cúlpa
2011-10-17 13:37:40 UTC
Permalink
Post by MotoFox
Post by Aragorn
Post by Postman Delivers
What is everyone's take on this new nonsense?
That it is an abomination, and that we're eagerly looking forward to
the start of the next antitrust investigation or class action
litigation.
Yup, that's basically a class-action $uit waiting to happen. Ugh.
And ppl might want to look at this:

http://en.wikipedia.org/wiki/Windows_refund

I'm happy to get $$$ if I get an OEM PC.
--
- Mëa Cúlpa - infernoxu at gmail dot com
- http://ucarenya.com/

--- Posted via news://freenews.netfront.net/ - Complaints to ***@netfront.net ---
Loading...