Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday June 26 2014, @01:44AM   Printer-friendly
from the bad-news dept.

Lucian Constantin writes at PC World that with the increasing number of 64-bit systems, experts say the incentive is growing for attackers to invest in methods of bypassing defenses like the PatchGuard kernel patching protection and the digital signature enforcement for drivers. "These protections have certainly increased the cost to build and deploy rootkits on 64-bit platforms," say McAfee researchers but roadblocks set in place by 64-bit systems now appear to be "mere speed bumps for well-organized attackers", who have already found ways to gain entry at the kernel level."

The Secure Boot feature of the Unified Extensible Firmware Interface (UEFI) the BIOS replacement in newer computers-was designed specifically to prevent the installation of bootkits. It works by checking that the boot code inside the MBR is on a pre-approved whitelist and is digitally signed before executing it. However, over the past year security researchers have found several vulnerabilities in UEFI implementations used by many computer manufacturers that can be exploited from inside the OS to disable Secure Boot. Mitre security researcher Corey Kallenberg estimates that Secure Boot can be bypassed on about half of the computers that have the feature enabled. According to Kallenberg, OEMs have started to pay a lot more attention to BIOS security research and have started to react over the past year. "I think we're finally at a place where you'll see OEMs take this more seriously."

Related Stories

The PCLinuxOS Magazine on Bill Gates' 40-Year-Old Evil Prophecy 55 comments

Volume 189 of The PCLinuxOS Magazine has an article on Bill Gates' evil prophecy from 40 years ago where he aims for ending general-purpose computing. He achieves that goal a step at a time over the decades, with the help of many a mole and quisling. Lately, the Pluton chip and Restricted Boot play both play key roles towards ending this era of general-purpose computing. The Pluton chip is an extension of the Trusted Platform Module (TPM) used by Vista10 and required by Vista11. Canonical, the maker of Ubuntu, and even its upstream source, Debian, folded years ago in regards to secure boot by using Microsoft's signing key, possibly cementing that as the norm. The article covers that and many other incidents leading up to the current situation.

There is an ever-decreasing amount of time left to keep general-purpose computing alive and the author signs off with how to approach the political maneuvers going on:

The implications are already starting to show

At the beginning of the year, Matthew Garrett, the researcher who created the UEFI bootloader for Linux (which I do not agree with at all, as it sets a precedent for Microsoft to abuse the market, with its position of power, should not be allowed under any circumstances) said that the Pluton chip was not an attack on users' freedom to use whatever operating system they wanted, which was not a threat.

In July 2022, he recanted, when he was unable to install Linux on a high-end Thinkpad Z13, complaining that this was not a legal practice by Lenovo.

But, that's what Microsoft wants. Under the guise of enforcing security, it blocks the machine's access to the user himself, being the gatekeeper of personal computing. In other words, "my" microcomputer is over. From now on, it will be Microsoft's microcomputer, and only what it allows will run...[sic]

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by kaszz on Thursday June 26 2014, @01:50AM

    by kaszz (4211) on Thursday June 26 2014, @01:50AM (#60180) Journal

    This just like a free Christmas present. Expl01it the system software and use that as an enabler to install the Free open source systems of your choice.

    And if UEFI is insecure. It makes it's original purpose moot. Time to do the open way instead? where the user select the sign key it any at all?

    • (Score: 2) by tangomargarine on Thursday June 26 2014, @04:11PM

      by tangomargarine (667) on Thursday June 26 2014, @04:11PM (#60384)

      And if UEFI is insecure. It makes it's original purpose moot.

      It hasn't succeeded in killing Linux yet. Oh, you mean the original purpose was to make the boot process more secure? Er, yeah, that's what I meant. Right.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2) by kaszz on Thursday June 26 2014, @04:58PM

        by kaszz (4211) on Thursday June 26 2014, @04:58PM (#60420) Journal

        The original intent was likely to kill of competitors and virus makers in one go. But smartphones have a harder lock down, well it ain't unheard they get jailbroken & rooted..

        But this UEFI certainly looks like a monopolistic tool. Perhaps some company may take Microsoft to court again on anti-competitive charges again?

  • (Score: 3, Insightful) by clone141166 on Thursday June 26 2014, @02:17AM

    by clone141166 (59) on Thursday June 26 2014, @02:17AM (#60183)

    While UEFI isn't just about "SecureBoot", the "SecureBoot" option in UEFI was one of its big selling points. We all knew that it was implemented in a terrible way that was mostly just about Micro$oft locking down their devices to prevent the installation of other OS's. Now it turns out even that wasn't done properly.

    It's sad that nobody in charge ever listens to the engineers or technically minded people, and time and again everybody ends up paying for it. I think we need laws that prevent anyone being placed in charge of other people w/o holding a qualification and a long period of experience in the field they are managing - all the way up to and including CEOs and company directors.

    • (Score: 2) by tathra on Thursday June 26 2014, @03:14AM

      by tathra (3367) on Thursday June 26 2014, @03:14AM (#60193)

      It's sad that nobody in charge ever listens...

      why listen when you can just fire the incompetent engineers for not implementing your solution properly? obviously the reason it was hacked so easily was because they did a sloppy job; probably even coded backdoors into it intentionally! those asshats better enjoy living off gov't cheese because i promise you they'll never see a job working in tech again!

      • (Score: 2) by kaszz on Thursday June 26 2014, @04:24AM

        by kaszz (4211) on Thursday June 26 2014, @04:24AM (#60215) Journal

        Just allocate the next H-1B with a higher serial number. More H-1B more code.. more pr0fit!

    • (Score: 3, Interesting) by Anonymous Coward on Thursday June 26 2014, @03:29AM

      by Anonymous Coward on Thursday June 26 2014, @03:29AM (#60201)

      It's sad that nobody in charge ever listens to the engineers or technically minded people, and time and again everybody ends up paying for it. I think we need laws that prevent anyone being placed in charge of other people w/o holding a qualification and a long period of experience in the field they are managing - all the way up to and including CEOs and company directors.

      I've been saying this for decades.

      It wasn't always this way, for what it's worth. Back in the 1980s I reported to people whom were technically adept, and my managers reported to directors whom were technically adept, etc - all the way up to VPs. We're talking companies like General Electric, and Ampex, and Network Equipment Technologies.

      It seems to me that things started changing in the mid- to late 1990s, when computers acquired graphic user interfaces.

      Big Money started getting involved in Silicon Valley, and all that money and power attracted predators and parasites of all sorts - for every symbiote (AKA engineer) it seemed there were two or three MBAs and at least as many salespeople (AKA parasites).

      These flooded into positions in IT organizations, confident that everything could be reduced to a two-line email or a spreadsheet and adept at using their superior grasp of business buzzwords and acronyms (ROI, etc), they 'sold' their managements on employing them, instead of boring old engineers, to manage the engineers ... and it's been shit, ever since.

      I'm ready to quit Silicon Valley and open a cafe. I'd have a steady income - and I'd hang out with people I liked and admired again, instead of BMW-driving, credit-card-waving, asshole-sniffing, 'networking' brown-nosers from hell.

      • (Score: 2) by kaszz on Thursday June 26 2014, @04:28AM

        by kaszz (4211) on Thursday June 26 2014, @04:28AM (#60217) Journal

        There must be something more profitable than café business? Otoh using your analysis it ought to be possible to introduce a non-governmental knowledge deficit taxation..

        • (Score: 2) by zafiro17 on Thursday June 26 2014, @07:54AM

          by zafiro17 (234) on Thursday June 26 2014, @07:54AM (#60246) Homepage

          What do we want? UTF! When do we want it? Now!

          Would any good UTF developers like to submit their resumé? :)

          --
          Dad always thought laughter was the best medicine, which I guess is why several of us died of tuberculosis - Jack Handey
          • (Score: 2) by zafiro17 on Thursday June 26 2014, @08:00AM

            by zafiro17 (234) on Thursday June 26 2014, @08:00AM (#60248) Homepage

            OMG it keeps getting funnier - I actually typed out tilde-A and copyright, and then Soycode barfed on those characters and made it even worse. 'Scuze me while I clean up the coffee on my keyboard. Getting Perl to play nicely with international character sets has always taken a lot of effort. Not picking on you, Soycode developers, but I pity the hard work you have ahead of you - you'll have to be smarter than I am to sort it out! Fortunately, I'm not that smart ...

            PS: dots: …

            --
            Dad always thought laughter was the best medicine, which I guess is why several of us died of tuberculosis - Jack Handey
          • (Score: 2) by kaszz on Thursday June 26 2014, @01:19PM

            by kaszz (4211) on Thursday June 26 2014, @01:19PM (#60304) Journal

            ISO-8859 has a habit of just working..

            UTF, it's always a mess somewhere.

          • (Score: 2) by martyb on Thursday June 26 2014, @02:44PM

            by martyb (76) Subscriber Badge on Thursday June 26 2014, @02:44PM (#60345) Journal

            zafiro17 [soylentnews.org] (234) wrote:

            What do we want? UTF! When do we want it? Now!

            FYI, at this very moment, we are hard at work in getting this implemented on a development instance of the site.

            If you are interested in helping out, join us on IRC and take a look at http://dev.soylentnews.org/ [soylentnews.org] where things are changing rapidly.

            (Moderators: +1 Informative, please.)

            --
            Wit is intellect, dancing.
            • (Score: 2) by zafiro17 on Thursday June 26 2014, @04:56PM

              by zafiro17 (234) on Thursday June 26 2014, @04:56PM (#60418) Homepage

              Much appreciated! Sorry if my comment came across as a bit harsh - wasn't trying to be mean. Good luck to the hard-working developers. Remember, as soon as you get UTF8 working, we'll all demand EBDIC. Got it?

              --
              Dad always thought laughter was the best medicine, which I guess is why several of us died of tuberculosis - Jack Handey
    • (Score: 5, Insightful) by frojack on Thursday June 26 2014, @03:39AM

      by frojack (1554) on Thursday June 26 2014, @03:39AM (#60203) Journal

      Exactly, a Microsoft ploy to make switching systems harder, but the Linux community beat them with their own stick.

      UEFI was always just the wrong way to do it.

      All that was really needed was a physical switch (preferably inside the case), that you had to flip to rewrite the MBR, (as when you install a new system on purpose). With the switch in the on position, it would hash the MBR and, prompt for the OK, and store the result. With the switch Off, it compares its hash to the MBR hash, and boots or fails as necessary.

      The only time you would be at risk is when you are installing.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by kaszz on Thursday June 26 2014, @04:32AM

        by kaszz (4211) on Thursday June 26 2014, @04:32AM (#60220) Journal

        This is it +5

      • (Score: 2) by aristarchus on Thursday June 26 2014, @05:23AM

        by aristarchus (2645) on Thursday June 26 2014, @05:23AM (#60225) Journal

        You know, most of the time Frojack is full of it, but in this case the nail is hit on the head. The purpose of UEFI was to lock out Linux installs, but now it becomes a vector to hack M$ installs? Oh, irony, dost thou have a name? And a sensible proposal to boot? As in, a sensible proposal to boot? Well played, sir (or madam or madamoiselle)!!!

      • (Score: 1, Interesting) by Anonymous Coward on Thursday June 26 2014, @10:08AM

        by Anonymous Coward on Thursday June 26 2014, @10:08AM (#60270)
        I have been wanting that for years.

        Have the OS kernel in FLASH. Flash rom is cheap. If necessary shadow it into RAM, but a fresh copy is always handy.

        I would love to have the system all loaded so that boot is less than one second. Basically the time it takes to shadow copy the flash.

        Have the machine beep in hardware if a write to flash is attempted.

        Have a physical jumper on the FLASH write protect line, accessible only if you have physical access to the motherboard.

        When installing your OS, install the write jumper. Let the installer do its thing. Know its going to beep at you.

        Once installed, remove the jumper. Nothing can corrupt your flash now. If your computer starts beeping at you, you know something is attempting to write to something they ought not to even try. A routine in flash could even compare your RAM image against the flash code and let you know if something is changing your core files. Gives you a heads up that something malicious may be amiss.

        I had a floppy disk drive back in the old DOS days I had modified so I had to close a physical switch to enable the disk drive to write. Otherwise, the write signal just tripped off a 74LS123 monostable connected to a piezoelectric beeper. I used it to detect viruses attempting to write to floppy, as well as some programs would try to write back to the disk as a copy protect scheme and render the disk useless. Once I knew I had prank code, I could always do a bitwise copy from the original install media and let the program do what it would to the copy. That was the days when my Soft-Ice worked. My original install disks were very precious to me and I did not want anything messing them up. Apparently that little write protect tab could be bypassed - I got the idea that it set some sort of flag in software that the programmer could choose to dishonor if he wanted to.

        I do not know if this is correct [pcreview.co.uk] but the part that has me concerned is the following I cut and pasted from toward the bottom of the given link...

        "Anteaus" wrote in message Malware can easily override the write protection on a floppy disc. Since the write protect tab was read by a photocell on the drive which input to a bit on an I/O port, it was child's play to reprogram the port to always read as writable.

        I have seen this same thing mentioned elsewhere. Years ago. I have not trusted the computer completely after they stopped printing the source code of the OS in the manuals ( anyone remember the IBM Technical Reference books for the PC? It was all there. Schematics, Source Code, Everything! )

        Anyone have more accurate info? I have never gotten any decent schematics on disk drives to verify, but given my experience so far on how resilient against deliberate malware that computer software has been designed, especially corporate stuff designed by sales executives, I have been very leery of stuff I did not make myself because they always seemed to be dealing with other business partners behind my back to leave weak spots in it. Much to my chagrin, business executives seem to buy anything presented to them with impressive trade dress, regardless of its trustworthiness.

      • (Score: 1) by jbruchon on Thursday June 26 2014, @10:57AM

        by jbruchon (4473) on Thursday June 26 2014, @10:57AM (#60279) Homepage

        UEFI doesn't have an MBR anymore. Just sayin'. Why aren't you inventing that switch for me? DO WANT. I don't think it can go inside the case though, as then "recovery options" would involve a consumer ripping the case apart and that's begging for a world of hurt.

        --
        I'm just here to listen to the latest song about butts.
    • (Score: 0) by Anonymous Coward on Thursday June 26 2014, @03:46AM

      by Anonymous Coward on Thursday June 26 2014, @03:46AM (#60204)

      > I think we need laws that prevent anyone being placed in charge of other people w/o holding a qualification and a long period of experience in the field they are managing - all the way up to and including CEOs and company directors.

      Good luck. All you'll get is proof of the peter principle. [wikipedia.org] It is inherently impossible to automate good governance/good management because those are jobs that are primarily the exercise of judgement, which by definition, is the opposite of automation.

      • (Score: 1) by clone141166 on Friday June 27 2014, @04:32AM

        by clone141166 (59) on Friday June 27 2014, @04:32AM (#60718)

        Even if the Peter Principle is assumed to be true, I think requiring some level of qualification and/or experience in the field you are managing would help raise the overall level of ability and quality of managers and businesses by raising the quality of all candidates for managerial/leadership roles.

    • (Score: 0) by Anonymous Coward on Thursday June 26 2014, @04:31AM

      by Anonymous Coward on Thursday June 26 2014, @04:31AM (#60219)

      UEFI, aka NSA-OS, is very badly implemented by many of the 'economy' manufacturers like MSI. This news is like telling us that researchers have discovered holes in Swiss Cheese.

  • (Score: 0) by Anonymous Coward on Thursday June 26 2014, @02:20AM

    by Anonymous Coward on Thursday June 26 2014, @02:20AM (#60184)

    FTFS: It works by checking that the boot code inside the MBR is on a pre-approved whitelist and is digitally signed before executing it

    ...and if it considers anything to be amiss, the system will not complete the boot process.
    Properly named, this would be called Crippled Boot.

    -- gewg_

  • (Score: 1, Funny) by Anonymous Coward on Thursday June 26 2014, @06:33AM

    by Anonymous Coward on Thursday June 26 2014, @06:33AM (#60230)

    To get to play with all this lovely malware!

  • (Score: 4, Interesting) by isostatic on Thursday June 26 2014, @08:07AM

    by isostatic (365) on Thursday June 26 2014, @08:07AM (#60251) Journal

    Back in my day, you could set your bios to protect the mbr, preventing the so from changing it. Want to install a new boot loader? Disable in the bios first.

    that feature went out of style. Why?

    • (Score: 1, Informative) by PlasticCogLiquid on Thursday June 26 2014, @09:00AM

      by PlasticCogLiquid (3669) on Thursday June 26 2014, @09:00AM (#60261)

      I forgot about that! UEFI is complete shit though. I've upgraded a lot of computers from Win 8 to 7 though and on a lot of them they don't provide any drivers except the Win 8 64x drivers, so I have to manually hunt down each components driver and it's a real pain in the ass. So even when you defeat UEFI you still have other problems to contend with.

    • (Score: 2) by egcagrac0 on Thursday June 26 2014, @02:44PM

      by egcagrac0 (2705) on Thursday June 26 2014, @02:44PM (#60343)

      It strikes me that it could be bypassed from non-BIOS software.

      Theoretically, the BIOS should be looking for that flag in NVR somewhere, and then dishonoring the write call.

      If looking to bypass this, I could either (recognize the BIOS version and) write new NVR values to reset the flag, or not use the BIOS for my disk I/O.

  • (Score: 3, Insightful) by meisterister on Thursday June 26 2014, @11:25PM

    by meisterister (949) on Thursday June 26 2014, @11:25PM (#60640) Journal

    The UEFI firmware really bothers me. Call me old-fashioned, but the purpose of the software burned into a computer's ROM is to check and set basic hardware, set up interrupts, then attempt to launch a bootloader. Nothing more, nothing less. It is not the ROM software's job to police your system. Compared to BIOS, UEFI is an over-engineered solution to no problem. I will agree that BIOS is a massive kludge, but it's better than its replacement. It's likely that BIOS could've just been re-implemented with large drive support. Nothing more was needed.

    --
    (May or may not have been) Posted from my K6-2, Athlon XP, or Pentium I/II/III.
    • (Score: 1) by jbruchon on Friday June 27 2014, @03:25AM

      by jbruchon (4473) on Friday June 27 2014, @03:25AM (#60704) Homepage

      To some extent you are confusing UEFI and Secure Boot. UEFI is generally a Good Thing(TM) because what it brings to the table is the ability to act as a much more intelligent boot loader than the traditional MBR/boot sector system. The MBR limitation has been a major thorn for decades; every other computer architecture graduated to advanced startup environments a really long time ago (EFI, OpenFirmware, ARC, etc.) but the "IBM PC compatible" has been stuck in the early 1980s since its inception. We now have computer startup code that can not only load your OS kernel for you (instead of just a 512-byte boot sector) but also provides a whole host of advanced services to whatever UEFI-compatible bootstrap you use. It's effectively a modern tiny OS, as it should be.

      Secure Boot is the thing that you're expressing disgust with. I agree with you. If I could always inject my own keys on any compliant platform, it'd be quite different, but on quite a few systems there is only one allowed key: Microsoft's signing key. Worse yet, many laptops ship with a UEFI BIOS that doesn't allow you to load a CSM for booting non-UEFI systems, and to open that option up you have to flash the UEFI BIOS to a newer version. An Acer I recently ran into had this issue, plus you couldn't even turn off Secure Boot without setting a BIOS supervisor password first! There is NO FUCKING EXCUSE for that kind of nonsense.

      --
      I'm just here to listen to the latest song about butts.