Originally Posted by mmix
Originally Posted by srs5694
I wouldn't call this "news." "Propaganda," maybe, or "delusional ramblings," perhaps.
From the cited article:
James Bottomley, who had been paid by Novell (Microsoft) before he left, is developing "secure boot" and finding out that UEFI promises are empty. From his blog:
First, this quoted paragraph implies that Novell and Microsoft are one and the same company, or that Microsoft controls Novell. Neither is true. They do have certain business agreements, some of which are controversial -- see Wikipedia,
for example. Jumping from a limited set of business relationships to an implication of a deeper relationship is a trick commonly used in propaganda, and often seen in paranoid conspiracy theories.
Second, the claim that "UEFI promises are empty" goes well beyond the linked-to document of Bottomley's, which makes it quite clear that the problems are technical. The phrasing implies that Bottomley concluded that Microsoft's promises are empty, but that's far from true. A conspiracy theorist might claim that these problems have in fact been rigged, but that runs up against a problem: An anti-Linux conspiracy would require that Microsoft refuse to sign any
working Linux boot loader, but that's not the case -- both Ubuntu and Matthew Garrett have received (and delivered publicly) signed versions of shim. Another issue here is that the author is conflating Microsoft with UEFI. The two are entirely different. At best, this is just plain sloppy; at worst, it's more propaganda -- a deliberate effort to confuse readers about what's what.
The article in question quotes many sources, but most are based on the same original source: A single blog post by James Bottomley. AFAIK, no
additional information on this topic appears in any of the other references. (A few do delve into other areas, but that's not really relevant to the main point of the article.) By quoting many sources that in turn quote just one original source, it makes it look as if there were more information or a broader problem, but it really all comes down to one thing: One developer is having problems getting his boot loader signed. His own blog post on the topic -- our one
primary source -- puts this down to technical glitches and/or bureaucracy. In the absence of additional information, turning this into a conspiracy theory is inappropriate at best.
The overall tone of the article is also quite suspect. It uses phrases like "longtimes [sic] convicted thug" and "crooks" in reference to Microsoft or its partners. Microsoft has been at the losing end of lawsuits, but the terms "thug" and "crook" carry with them implications of low-life petty criminality, like burly men with knives who threaten old women in dark alleys. Such emotionally-charged language sets off alarms in my head about the reliability of the source.
In fact, you referenced Bottomley's original blog post earlier in this thread. This latter sensationalist spin on it doesn't add any new information; it just ratchets up the level of hysteria and paranoia. At best, it can be considered extremist commentary on old news. At worst, it feeds the flames of paranoia.
anyway, well, IIRC, first delusional attack was microshaft's UEFI.
The word "microshaft" in reference to "Microsoft" is another of those terms that sets off alarms in my head. That aside:
Microsoft did not invent UEFI; Intel did. UEFI is now an open standard. You can download its full source code from Sourceforge.
UEFI has numerous problems, but it's certainly not an "attack" on anything.
Do not conflate UEFI with Secure Boot. Secure Boot is just one optional feature of UEFI; a UEFI computer that lacks Secure Boot, or on which that feature has been disabled, is not a threat in the way you mean. Secure Boot can be used to lock a computer into running just one OS, but at the moment it's not being used in this way on x86-64 computers. For ARM it gets a bit trickier; that depends on how easy it will be to adapt shim to ARM and get an ARM version signed. As the number of ARM devices shipping with Windows 8 is quite limited, though, this particular aspect of the problem is equally limited.
If it seems that I'm coming down hard on these linguistic excesses, be aware that it's because I'm concerned about the effect of such excesses on the ability to raise alarms if and when that becomes necessary. Calling "Microsoft" "microshaft," referring to them as "thugs," using propagandistic tricks to turn a single blog post from a reputable source into a vast conspiracy, and so on make the Linux community look immature or paranoid. In its current form and given current policies, Secure Boot is more of an annoyance to Linux than a threat, and so making too big a deal of it right now is like the boy who cried wolf. The problem is that a wolf might appear down the line. Maybe with Windows 9 or 10 Microsoft will change its licensing policies to require that Windows PCs have UEFI implementations in which Secure Boot can not
be disabled (as is the case for Windows 8 ARM systems now). Maybe they'll change their signing policies so that they won't sign boot loaders like shim. In the absence of changes to the UEFI spec or other countervailing forces, that would create the sort of threat that you seem to be convinced already exists. Raising the alarm at that time will then become harder because of the knowledge of the alarm this time around, which has already proven to be a false alarm.
It's workable, but it's still quite primitive. The tools are first-pass solutions to their relevant problems, so they're inelegant and limited. I expect the maturity level to increase rapidly, though. With any luck this will work more-or-less transparently for users who want to install a single Linux distribution on their computers within 6-12 months, and the inconvenience for those wanting to boot multiple distributions will become minimal in that time frame.