from the ministry-of-freedom-it-department-(minifree-dept) dept.
Apparently, Lenovos newest laptops lock down the BIOS to vendor-signed versions. This is a problem since BIOS nowadays gets more and more powerful, sometimes with network-acccess etc., so basically it forces the user to boot a proprietary OS with full HW- and network access before potentially booting an open source system. However, the problem might be bigger than Lenovo making some bad decisions, since Lenovo only made a misguided choice between freedom and security, but they didn't implement any new features. Intel provides the combination of "boot guard" feature together with verified boot.
The idea behind it is not too bad: To have a trusted system, you need a chain of trust, starting with the boot loader. If every subsequent piece of software is verified before being started, the system could be considered to be in a safe state. The verification can be done by signed code. Now, there are three ways to handle this. Either the system doesn't use TPM at all. This might leave the system vulnerable if an attacker can flash his own BIOS. Or the system enables verified boot , which means a BIOS not signed with vendor key is simply not booted, the system doesn't start. Or the system offers measured boot . This means, the system would boot, but be marked as not trusted by the vendor; however, it could still be verified against some other key provided by the hardware-owner. (For details, please read the linked article.)
The article I linked states that it is Intel's mistake to even provide the "verified boot" feature. I'm not sure I fully agree, as Intel apparently would support the measured boot approach as well, and it was Lenovos decision to not use that option. However, as a consumer I could not imagine any advantage "verified boot" offers over "measured boot", so I'd be happy if Intel would scrap this anti-feature. A lock is only your friend as long as you own the key; a door is only your friend if you are allowed to change the lock (key).
BTW: Could we rename the topic "Security" to "Freedom and Security"? Usually these topics are always linked.
(Score: -1, Troll) by Anonymous Coward on Tuesday March 03 2015, @07:32PM
News at 10
Orthodox Stallmanite foams at the mouth.
(Score: 1, Insightful) by Anonymous Coward on Tuesday March 03 2015, @08:01PM
Security and privacy seem tangential in my mind.
Re: parent:
There might be a Ben Franklin quote that fits in here.
-- gewg_
(Score: 3, Informative) by captain normal on Wednesday March 04 2015, @03:49AM
humm...you mean this one? "They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 0) by Anonymous Coward on Wednesday March 04 2015, @04:10AM
That's the one I was thinking of.
-- gewg_
(Score: 2) by Jeremiah Cornelius on Tuesday March 03 2015, @08:51PM
Another NSA/GCHQ apologist heard from.
You're betting on the pantomime horse...
(Score: 4, Interesting) by Bot on Tuesday March 03 2015, @07:38PM
The verified boot is easily done with a physically protected EPROM and a BIOS with very little code, all these systems do not ensure secure boot, they ensure that those holding the right keys can snoop remotely with no problems.
Of course we have two other problems, to verify the hardware and to thwart IRL surveillance, I have not much against the latter because an ad hoc and therefore a bit expensive kind of surveillance is less prone to abuse than widespread surveillance thanks to factory compromised stuff.
Anyway, since the name is "Intel" we can't say we weren't warned :D
Account abandoned.
(Score: 0) by Anonymous Coward on Wednesday March 04 2015, @01:59AM
This sort of thing is a 100% waste of time if you have the right tools.
https://vimeo.com/110257380 [vimeo.com]
https://vimeo.com/111417458 [vimeo.com]
https://www.youtube.com/watch?v=4bM3Gut1hIk [youtube.com]
There is no such thing as 'trusted boot' using many of the current parts out there. In order to run encrypted programs need to be decrypted to run first. The typical way is to get the code to decrypt it for you then you can use your trojan to read the code and build your own.
I like the first 2 as they show how to root a BluRay device. Which is supposedly one of the more tricky ones out there and the definition of trusted boot. The third one shows how just the knowledge of data can give you insight as to how to hack it.
These trusted boot guys are making the same classical mistake most people make with encryption. Encryption is time limited. It can almost always be broken pretty much with a bit of time. In this case they have to start somewhere that is not encrypted. If that were not true MESS/MAME and most emulation out there would not exist.
Is it hard and tedious to unwind? Yes. Impossible to do? Not really.
(Score: 2) by tangomargarine on Wednesday March 04 2015, @03:09AM
Probably not really the same thing, but I quite enjoyed the Google Tech Talk on how they hacked the original X-Box, which was encrypted and signed and everything, although apparently implemented sloppily.
http://www.youtube.com/watch?v=6fOjGLCctEY [youtube.com]
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 5, Interesting) by TheGratefulNet on Tuesday March 03 2015, @07:42PM
the t420s that I bought about 2 years ago had a bios lock that would prevent you from installing your own chosen pci-e card (wireless, wlan, even some ssd internal ports were locked). it was a bios 'whitelist' and only lenovo branded items would be allowed in.
I tried buying an ac-wireless card that was exactly like the one lenovo installs. I COULD NOT BUY ONE, NOT EVEN *FROM* LENOVO. first, I contacted lenovo myself and got nowhere. 2nd, I went thru a local store that does a lot of lenovo business. they called on my behalf and even THEY could not order one. I was asked for a photo of my laptop's bottom (lol) to show the serial #. I gave them that. it was not enough and they still refused. motherfuckers.
I found a website that would edit the blacklist/whitelist stuff. yes, its risky. I did not do the work so I don't know what exactly went into this bios update, but I did trust it, it does work and I am now able to install any wireless pci-e mini card that I want.
I won't ever be buying lenovo again. their hardware was great, but this anti-freedom stuff was too much work to get around. and now, they have upperd their war on users with this latest stunt.
bye bye lenovo. oh, and hp is the same way; they also lock down their laptops. so avoid both.
"It is now safe to switch off your computer."
(Score: 2) by tangomargarine on Tuesday March 03 2015, @07:52PM
And presumably if you had bricked your hardware in the process of fixing it, they would have just laughed at you.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3) by TheGratefulNet on Tuesday March 03 2015, @08:22PM
totally. they'd require me to buy a whole new motherboard, which is about the cost of the whole laptop.
I did take my chances. and part of me still worries about what is buried inside the bios 'unlocker' that I installed ;(
do I do anything on the laptop that I would worry about? no. its no longer a trusted laptop, but I can still use it for non-mission critical things.
to be honest, given lenovo's take on things, even the as-shipped state would not be a trusted platform for me. so, I just traded one master for another, in a way.
"It is now safe to switch off your computer."
(Score: 2) by E_NOENT on Tuesday March 03 2015, @07:56PM
the t420s that I bought about 2 years ago had a bios lock that would prevent you from installing your own chosen pci-e card (wireless, wlan, even some ssd internal ports were locked). it was a bios 'whitelist' and only lenovo branded items would be allowed in
What a buncha scumbags.
I'm not in the business... I *am* the business.
(Score: 3, Interesting) by TheGratefulNet on Tuesday March 03 2015, @08:27PM
it acts like a hardware fault. you get a blue screen when you boot up, at bios, before the HD is even checked for a boot sector.
I would not mind, as much, if I could BUY the 'right' card, but I tried pretty hard and even with a receipt in hand for my own personal laptop, lenovo would not sell me the 'correct' 802.11ac intel centrino card.
I'm using one, now, that I bought at the local store. $30 for ac-grade wireless. no lenovo name on it, but my laptop now accepts it.
no, I can't update the bios anymore. I don't want to lose what I gained ;)
when its time to go with another laptop, years from now, lenovo won't even be in the short-list. and again, hp won't either, since they also play the 'lock the bios via whitelist' games.
I could -almost- understand why they do this, for business grade lappies. you want to know that everyone has the same hardware and that drivers are all the same, etc. but I did have proof that my laptop was owned and bought by me, and so what else would I have to 'prove' to them to get to BUY their card or install my own?
very eye-opening. I obviously did not know about this when I bought it. hopefully more people know this, now.
"It is now safe to switch off your computer."
(Score: 1, Interesting) by Anonymous Coward on Tuesday March 03 2015, @08:36PM
I could -almost- understand why they do this, for business grade lappies. you want to know that everyone has the same hardware and that drivers are all the same, etc.
It would be so much more customer-centric if they just provided a unique password with each laptop that let you turn that on/off, or even just let you conditionally authorize a new peripheral. Hell, they could have done it with a usb-dongle - plug in the dongle, reboot and all currently installed hardware goes into the white-list. Just some way for IT to control it if they want too.
From your description it sounds like the worst possible implementation of hardware configuration control. I'm more inclined to see it as a money-grab, locking customers into over-priced lenovo peripherals, that was ultimately implemented with the shortest of sight.
(Score: 4, Insightful) by jdccdevel on Tuesday March 03 2015, @09:07PM
I would have returned the laptop as defective, and demanded a refund.
Working properly with standards-conforming peripherals is a expected use-case for any computer, and the sort of component white-listing BS you're describing is, IMHO, a slam-dunk reason for demanding a
refund, and I'm sure any small-claims court would agree if they refused.
(Score: 2) by Hairyfeet on Wednesday March 04 2015, @09:34AM
Thanks for the heads up, Lenovo has been having some sales as of late but if any customers ask I'll steer them clear.
BTW when it comes time to replace? Might want to take a gander at Asus, I've had nothing but luck with Asus and they seem to provide driver updates longer than anybody. I liked them enough when I decided to get rid of my Dell full size for something easier to carry I went with the Asus AMD EEE netbook and its still just purring away after nearly 6 years, hell it still gets nearly 4 hours on the original battery!
As for TFA? I don't have a horse in this race as I'm an AMD exclusive shop but I suppose it all comes down to holds the keys, if its Intel? No thanks, if its the user? Then I could see why some would want it, might be a nice extra bit of security on business laptops.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by Reziac on Wednesday March 04 2015, @05:45PM
Squaretrade (a secondary warranty company, therefore it's in their best interests to know this stuff) has a study on laptop failure rates here:
http://www.squaretrade.com/laptop-reliability-1109/ [squaretrade.com] (page 6)
Their stats are probably about the best you'll find, as they looked at over 30,000 laptops. Their 3-year average of 20% malfunctions across all brands sounds about right, per my observations. Also, they found 'premium' laptops failed less. (D'oh!)
Every other article I found uses Squaretrade's numbers.
One suspects Asus comes out on top because being a more-vertical manufacturer, they have a better handle on component quality.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by Hairyfeet on Wednesday March 04 2015, @06:14PM
Well all I know is I've never had any bad ones when it comes to Asus, even the EEE (which only cost $350 with an 8GB of RAM maxxing out) seems to be well built and has nice extras like the Asus version of Splashtop on the EEE which is handy as hell for when you just want to do a quick check of your webmail and don't want to fire up the OS. Fans work pretty well, the units are well laid out, I don't think I've ever had a customer complaint when it comes to the Asus laptops, they don't have as many bells and whistles as some of the others but personally I'd rather my customers get something that lasts as opposed to be a bunch of extra buttons and crap.
And on a final note Asus seems to be really good about picking parts that are pretty standard and well supported, no weird funky wireless chips or audio that quickly becomes unsupported, which when you've bashed your head against the wall trying to find some weird sound chip driver or massage some wireless chip that was practically a one off? You really come to appreciate somebody that uses bog standard hardware in their builds. I really have nothing bad to say about them really, just really well built laptops all around.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by Reziac on Wednesday March 04 2015, @06:25PM
Totally agree on that. I greatly appreciate both durable and "works all the fucking time without demanding to be treated like a special snowflake". I've bashed my head against parts that were seconds and wouldn't play nice with the standard driver supposedly for that very chip... Gateway systems had spasms of being wretched for this, where if you couldn't get the Gateway-tweaked driver, you were SOL.
Had any experience with Toughbooks? not that I plan to (ow$ow$ow) buy one but just curious.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by Hairyfeet on Sunday March 08 2015, @01:52AM
Had a US Army customer that had one, he abused the shit out of it and the thing survived Iraq so I'd say that's a pretty good endorsement. But from what I've seen unless you are gonna be putting it into conditions like going to thrid world hellholes? they are really overkill.
Hell that little $350 EEE is on its sixth year of being shoved under my truck seat and the thing is still purring like a kitten so I'd say as long as you use some common sense, put it in a sleeve or case so it don't get the screen scratched, don't sit on it (you'd be surprised how many laptops I've stripped because somebody forgot a laptop on the backseat and little Billy plopped their ass on it) and don't leave it running in the bag? Pretty much any of the Asus line will do ya well. If you want me to recommend one the AMD quad APU lappies, those babies multitask like crazy and do full 1080P over HDMI as smooth as butter, even with BluRay content. Picked up a couple for customers, one of which is working on it all day and plugging it into his widescreen TV when he gets home and using it as an HTPC, he is nothing but happy.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by Reziac on Sunday March 08 2015, @02:16AM
I've seen used Toughbooks for around $500. Dunno what their real condition is but something to consider if I ever decided to splurge (haha) considering I don't really need latest and greatest. I've dragged home a few castoff laptops for free, but fact is I don't have enough use for one to justify investing in something better. I just don't haul the computer around with me much . If I were to go crazy and buy a nice new one, yeah, I'd have to seriously look at Asus.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by Hairyfeet on Sunday March 08 2015, @07:20AM
Try keeping an eye out on Cowboom [cowboom.com], you can find some great used and refurb deals there.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by Reziac on Sunday March 08 2015, @07:32AM
Hadn't heard of Cowboom, thanks for the tip! Looks like a pretty good selection, too.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 3, Informative) by Hairyfeet on Sunday March 08 2015, @10:44PM
You ever been to Best Buy? Know how they offer to give you a trade in on your working laptop toward the latest and greatest? Ever wonder where those laptops go? Well here ya go, Best Buy set up Cowboom so the local stores don't have cheap used competing with the new hotness. That is why you see them from all over the country, its different BB locations. They hand 'em to Geek Squad who checks the hardware and does a wipe and reinstall and then they slap 'em on there. If you keep an eye out? You can get INSANE deals there, I picked up a couple of Intel Atom netbooks there for $80 a pop, I got 'em and they were like new and worked great.
You might also want to take a gander at those Acer portables if you want a thin and light, they had several models with AMD C and E series APUs that had pretty decent performance and could hold 4GB of RAM, picked up a couple for customers and they are still using them to this day, you can even use them as HTPCs as long as you stick with 720P.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by Reziac on Monday March 09 2015, @12:53AM
Didn't know that! Might as well take advantage, Worst Buy being so bloody expensive. Will definitely pass the info along as I do run into folks looking for that cheaper laptop. Gotta know your prices (some of their camera/camcorder listings are no bargain) but hells bells, sub-$200 is more my price for a 'new' laptop.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by Hairyfeet on Monday March 09 2015, @02:37PM
As long as you know your CPUs? That site is great. Personally I'd never pay more than $120 for an Atom dual (and it'd have to be REAL nice for me to pay more than $100) , same goes for the Celeron, but you can find some nice Pentium duals and Athlon X2s on that site in the sub $200 range, even seen a few Phenom X4s and AMD A series but you have to jump on those pretty quick as they go fast. Good luck!
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by Reziac on Monday March 09 2015, @02:53PM
Yeah, if I'm gonna buy a fresh one at all, it's gonna be a for-really Pentium -- I'll use a Celeron if it falls on my head but I don't chase 'em. Hadn't even thought about Atom, I suppose it'd be all right in a sub-notebook but not in a real usin' machine.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by Hairyfeet on Monday March 09 2015, @04:24PM
Actually the Atom duals (NOT the single with HT, the actual dual cores) do have a use or two...they make good HTPCs as long as you don't mind 720P, you have guests over frequently? Its nice to have a netbook you can just hand out if they need to get on the web, I even knew a guy that hooked one to a 4TB USB external and used it as a streaming media hub for his LAN.
But the ones you really should be on the look out for are the AMDs, and this isn't because I always favor AMD (which I do) but for the simple fact that they are damned near always paired with a MUCH better GPU than anything you'll get with a Pentium! Even the low end AMDs are usually paired with paired with a HD3200-HD7200 GPU and I've played Bioshock I on an HD3200 at 30FPS on low to medium so that should tell you how much horse they got. Even if you don't game the codecs AMD includes in their drivers will give you full hardware acceleration for most formats, with Intel anything below the second gen core i3 based you are lucky to get anything other than MPEG 2 & 4 and even then its REAL picky about it. My wife has a Pentium dual 2.3Ghz and compared to my wimpy E350 netbook I can do full 1080p over HDMI on most formats, she can't for anything other than MPEG 2.
So if you want my advice? Look for the AMD models, the superior GPU will give you more bang for the buck than the couple points of single threaded performance you get from Intel.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by Reziac on Monday March 09 2015, @05:40PM
Wouldn't be gaming on a laptop no matter what -- might install good old DOOM (cuz you can't have a day without dead hellspawn) but nothing else. If the display suffices for a nicely usable Windows screen and can do tolerably watchable video, and has a legible DOS screen font, that's good enough for anything I might drag around with me. Not going to be any time soon, but if one catches my eye I'll give you a shout and you can tell me if I'm crazy or not. :)
But I'd have to feel a need ... I don't drag around the Twinhead (my "new" laptop, haha) often enough as it is, and it's a 2002 model. 1GHz and 256mb (may not be upgradeable), with about a 10" screen and a dying battery, but if I do replace it, it's because the wiring to the screen is twitchy and everything has to be just right or the picture whites out. Well, it was free!!
Oh, didn't you point me at TinyXP? runs like the wind on the old Twinhead, but doesn't support a USB mouse, and I ***loathe*** touchpads... TinyXP also didn't support the wireless, and it's a DLink PCcard that's about as generic as it can get, even Puppy Linux sees it fine. But man does TinyXP run fast, holy shit!
Friend uses an Atom PC as a fileserver/media box, that's all it does and does it well enough. Right tool for the right mission, eh?
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by Hairyfeet on Monday March 09 2015, @08:28PM
Yeah I'm the guy that pointed out TinyXP, BTW you might try Tiny 7 as that has more built in USB support so it might solve your problem.
But if you're not being mobile, why not a desktop? You can find an old P4 with screen and keyboard pretty cheap most places, yeah I know the P4 sucks balls, just wait a tick. What you do then is rip out that shitty P4 board for an AMD E350 or AMD Socket AM1, you can find the refurb E350 boards on Amazon for around $30 and that's a dual core with HD6310 GPU so its great for videos, and the socket AM1 APUs is the same ones used in the new PS4 and XB-1 so its got plenty of kick and you can buy the dual core AND the board for less than $50. Just slap in a RAM stick off of eBay or Amazon and voila! A desktop that will do anything you want and will last for quite awhile. Hell there are vids of guys playing Crysis 3 on the AM1 APUs so you KNOW they'll handle anything you can throw at 'em!
But yeah, grab a copy of Tiny 7 and give it a go, its nearly as fast as Tiny XP and its got better support for USB and wireless so you'll probably be able to get everything up and running, good luck!
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by Reziac on Monday March 09 2015, @08:56PM
I got desktops comin' out my ears, only problem is they're all old enough to vote, haha. I have a couple newer boards (defined as maybe 6 or 7 years old) that I'll do something with when I get to it. Most of the gear is still boxed up from the Great Northward Migration.
I found Tiny7 too but I vaguely recall that the installer threw an error. Might have to pull another copy. There was a newer TinyXP but it had a decompression error. Torrents, bah... You'd think Microsoft itself would promote such stuff as a way of keeping older machines from migrating out of the fold.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 0) by Anonymous Coward on Tuesday March 03 2015, @08:50PM
HP laptops have had the same, for quite some time. They claim it's because FCC approval requires the wifi card to be locked, and any other vendor of wifi card would be "untested", thus invalidating the FCC approval. Nevermind that the other wifi cards wouldn't be using the laptop's antenna - they'd be using their own on-board antenna, and thus be FCC approved on their own.
An electrical engineer blogged about this, and apparently installed a switch on a critical PCIE line, to make the BIOS think the card wasn't present. Then, he could boot to Linux normally, suspend to RAM, flip the switch on, resume the system, and reboot using kexec to start a new kernel while bypassing the BIOS, and use his wifi card.
(Score: 2) by Kilo110 on Tuesday March 03 2015, @09:31PM
"the t420s that I bought about 2 years ago had a bios lock that would prevent you from installing your own chosen pci-e card (wireless, wlan, even some ssd internal ports were locked). it was a bios 'whitelist' and only lenovo branded items would be allowed in."
This is nothing new. I had a HP laptop back in the early 2000s. I wanted to upgrade the 802.11B wireless card to 802.11G. The wifi card was even user accessible!
Easy, right?
Nope, bios level whitelist. Why? Fuck if I know. Never bought another HP.
(Score: 3, Informative) by datapharmer on Tuesday March 03 2015, @10:01PM
from what I've seen they typically use american megatrends bios (using a flash recovery typically dumps the lenovo logo and reveals this. Editing the bios image based on this information shouldn't be too terribly hard. It isn't like they are using any exotic components or anything. It is all off the shelf parts.
(Score: 5, Insightful) by tangomargarine on Tuesday March 03 2015, @07:48PM
This entire idea is solving a problem that doesn't exist with a far worse solution. (cf. voter ID disenfranchising voters to "solve voter fraud", systemd killing everything else that makes Linux Linux to "solve boot times")
Does any malware these days actually rewrite your boot sectors? And even if it does, you should apply the rule "if you suspect your system is compromised in any way, nuke and pave." Can't corrupted boot sectors be solved with some combination of LiveCDs, firmware reflashers, and dd?
But no, let's "solve" this "problem" by taking away my ability to do what I damn well want with my damn hardware that I damn paid for.
Oh, but the companies promise that they'll never do that. Just ignore the guy standing over you with a big hammer, promising not to use it while give you angry-looking expressions and waiting for you to let your guard down.
It's not paranoia if they really are out to get you, and the *AA have amply demonstrated that.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 5, Interesting) by Adamsjas on Tuesday March 03 2015, @08:11PM
Read the second link in the story.
This isn't talking about the boot sector any more, it kicks in WAY earlier than that.
The original concern was boot sector modification, then it became bios modification, and now these locks are designed to prevent changing anything in the computer, including things like adding cards into slots.
We all suspect it is to protect spyware already installed. Even if Intel's original goal wasn't that, the net effect is exactly that.
(Score: 4, Interesting) by TheGratefulNet on Tuesday March 03 2015, @08:29PM
and you'll probably need the infamous 'intel yellow books' in order to really know what is going on, down and dirty, in the hardware and firmware.
never heard of the yellow books? 99.9% of the chip and board designers have not, either.
as was told to me, you cannot fully design with intel cpus, today, unless you have FULL docs and the docs you get without an nda from intel are not enough to fully develop a system from scratch.
"It is now safe to switch off your computer."
(Score: 3, Insightful) by Thexalon on Wednesday March 04 2015, @12:28PM
The problem being solved is not the boot sector being overwritten. The problem that Intel doesn't get a nice chunk of change for allowing an Intel machine to boot your chosen operating system. Also, I suspect, given Intel's past associations, another problem is that you can buy a computer without paying Microsoft or Apple.
Of course, neither of those are any kind of problem to you, but they are a problem for Intel.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1, Informative) by Anonymous Coward on Tuesday March 03 2015, @08:04PM
Intel's
-- gewg_
(Score: 2) by wonkey_monkey on Tuesday March 03 2015, @08:37PM
And at least two in the summary itself.
systemd is Roko's Basilisk
(Score: 0) by Anonymous Coward on Tuesday March 03 2015, @08:10PM
... can it be disabled by the user or do I have to go RTFA?
(Score: 3, Insightful) by q.kontinuum on Tuesday March 03 2015, @08:33PM
No, it can't be disabled. That's the point.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2) by moondrake on Tuesday March 03 2015, @08:42PM
>so basically it forces the user to boot a proprietary OS with full HW- and network access
I do not understand what this is supposed to mean. Boot guard does not block you from running your own OS. It does block you from running your own BIOS though.
(Score: 2) by q.kontinuum on Tuesday March 03 2015, @09:03PM
As written in the summary, BIOS nowadays often has all required drivers included, so basically it is a full blown OS. There are Linux based BIOSes, after all. And this (BI)OS is booted and takes full control before ypur OS is loaded.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 1) by Rich on Wednesday March 04 2015, @12:12PM
If someone was actually in search of a solution to help the end user, while maintaining convenience for the vendor, solder jumpers might help.
Have two solder jumpers on the board:
1.) Grounds #WP on the flash chip when soldered closed. This prevents any writing to flash.
2.) Disables boot code hash and allows to boot any code when cut open.
Having them behave like this has maximum tamper resistance. With 1, an attacker could not take over the machine without desoldering equipment; with 2, the vendor can easily verify if any warranties may be void.
(Score: 2) by meisterister on Wednesday March 04 2015, @01:51PM
Lenovo also builds AMD based laptops. Can I assume that if I bought one of those I'd actually own it?
(May or may not have been) Posted from my K6-2, Athlon XP, or Pentium I/II/III.