SoylentNews is people
SoylentNews
Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder.
These skeleton keys can be used to install non-Redmond operating systems on locked-down computers. In other words, on devices that do not allow you to disable Secure Boot even if you have administrator rights – such as ARM-based Windows RT tablets – it is now possible to sidestep this block and run, say, GNU/Linux or Android.
What's more, it is believed it will be impossible for Microsoft to fully revoke the leaked keys.
And perhaps most importantly: it is a reminder that demands by politicians and crimefighters for special keys, which can be used by investigators to unlock devices in criminal cases, will inevitably jeopardize the security of everyone.
Microsoft's misstep was uncovered by two researchers, MY123 and Slipstream, who documented their findings here in a demoscene-themed writeup published on Tuesday. Slip believes Microsoft will find it impossible to undo its leak.
[Continues...]
[...] People are particularly keen to unlock their ARM-powered Surface fondleslabs and install a new operating system because Microsoft has all but abandoned the platform. Windows RT is essentially Windows 8.x ported to 32-bit ARMv7-compatible processors, and Microsoft has stopped developing it. Mainstream support for Surface RT tabs runs out in 2017 and Windows RT 8.1 in 2018.
A policy similar to the leaked debug-mode policy can be used to unlock Windows Phone handsets, too, so alternative operating systems can be installed. A policy provision tool for Windows Phone is already available. We expect to hear more about that soon.
[...] The Secure Boot policies Microsoft is rushing to revoke can't be used to backdoor conversations or remotely hijack systems, but they remind us that this kind of information rarely stays secret.
"This is a perfect real world example about why your idea of backdooring cryptosystems with a 'secure golden key' is very bad," Slipstream wrote, addressing the FBI in particular.
"Smarter people than me have been telling this to you for so long. It seems you have your fingers in your ears. You seriously don't understand still? Microsoft implemented a 'secure golden key' system. And the golden keys got released by Microsoft's own stupidity. Now, what happens if you tell everyone to make a 'secure golden key' system?"
The article goes into considerable background on the leaked keys and how you can use them to circumvent Secure Boot. Happy hacking to anyone who has (or can get a good deal on) a Windows RT tablet!
(Score: 3, Insightful) by Anonymous Coward on Thursday August 11 2016, @12:03AM
Thank you, Microsoft, for publishing these keys. We love you.
(Score: 0) by Anonymous Coward on Thursday August 11 2016, @12:18AM
what, no love for my123 and slipstream?
(Score: 2) by SomeGuy on Thursday August 11 2016, @01:10AM
Aaaaaand they have already forgiven and forgotten about locking down the damn things in the first place.
(Score: 5, Insightful) by Runaway1956 on Thursday August 11 2016, @02:28AM
This ^
Microsoft used it's monopolistic position to force "secure boot" onto the world. If governments had any sense at all, any such plan would have required that GOVERNMENT hold the keys. If they had any real sense, they would have rejected the idea out of hand. The individual who purchases a piece of equipment should have all the rights to decide what purpose that equipment should be put to. He should NEVER have to go to some regulatory agency or corporation to ask permission to use his equipment.
Everything about this scheme disgusts me, and the fact that Microsoft has proven itself incapable of holding onto it's own keys only disgusts me more.
(Score: 2, Insightful) by Anonymous Coward on Thursday August 11 2016, @07:38AM
Office of Personnel Management. [washingtonpost.com]
If someone wanted to impersonate a Top Secret-plus clearance holder, well, all the information they need was contained within the collected documentation at the OPM. The contents of the files are so detailed that individuals often need to do research on themselves to find all the required information (which can include details of ancient addresses, foreign associates, past drug use, criminal record, sexual behaviors, etc.)
Nice job there, US gov. We're so glad we pay you 50% of our production off the top to ... do whatever it is you do. We'd be more than happy to give you keys to our backdoors and trust you to keep both safe from invaders.