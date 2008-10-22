from the pentagon-says-no dept.
Volume 189 of The PCLinuxOS Magazine has an article on Bill Gates' evil prophecy from 40 years ago where he aims for ending general-purpose computing. He achieves that goal a step at a time over the decades, with the help of many a mole and quisling. Lately, the Pluton chip and Restricted Boot play both play key roles towards ending this era of general-purpose computing. The Pluton chip is an extension of the Trusted Platform Module (TPM) used by Vista10 and required by Vista11. Canonical, the maker of Ubuntu, and even its upstream source, Debian, folded years ago in regards to secure boot by using Microsoft's signing key, possibly cementing that as the norm. The article covers that and many other incidents leading up to the current situation.
There is an ever-decreasing amount of time left to keep general-purpose computing alive and the author signs off with how to approach the political maneuvers going on:
The implications are already starting to show
At the beginning of the year, Matthew Garrett, the researcher who created the UEFI bootloader for Linux (which I do not agree with at all, as it sets a precedent for Microsoft to abuse the market, with its position of power, should not be allowed under any circumstances) said that the Pluton chip was not an attack on users' freedom to use whatever operating system they wanted, which was not a threat.
In July 2022, he recanted, when he was unable to install Linux on a high-end Thinkpad Z13, complaining that this was not a legal practice by Lenovo.
But, that's what Microsoft wants. Under the guise of enforcing security, it blocks the machine's access to the user himself, being the gatekeeper of personal computing. In other words, "my" microcomputer is over. From now on, it will be Microsoft's microcomputer, and only what it allows will run...[sic]
It is up to us, the users, to boycott AMD products that contain the Pluton chip, to favor recycled or refurbished computers. And there is still more to do:
- Support the Free Software Foundation's campaigns against Windows 11
- Support the Right to Repair movement, in the person of Louis Rossman, one of the most prominent activists of this movement
- Bomb your congressmen with emails & phone calls, so that Microsoft is legally pressured not to go ahead with the Pluton project.
So folks, things have never been so in jeopardy as they are today. Microsoft wants to be the big brother, and dictate what everyone can run on their computers, under the benevolent guise of ensuring security. We can't afford that, or the future of personal computing and privacy will be ruined.
Finally, let's not forget that anyone who says they don't need privacy because they have nothing to hide is the same thing as not defending freedom of speech, because they have nothing to say...[sic]
Let's fight this! The scenario is ugly, and the battle will be hard!
However, procrastination by using only old or refurbished computers does nothing to address the cause of the problem. There is a finite supply of old equipment, anyway, and eventually they will run out. If there are no new general-purpose laptops, desktops, and servers in the pipeline by then the era of useful computing will have drawn to a close.
Lucian Constantin writes at PC World that with the increasing number of 64-bit systems, experts say the incentive is growing for attackers to invest in methods of bypassing defenses like the PatchGuard kernel patching protection and the digital signature enforcement for drivers. "These protections have certainly increased the cost to build and deploy rootkits on 64-bit platforms," say McAfee researchers but roadblocks set in place by 64-bit systems now appear to be "mere speed bumps for well-organized attackers", who have already found ways to gain entry at the kernel level."
The Secure Boot feature of the Unified Extensible Firmware Interface (UEFI) the BIOS replacement in newer computers-was designed specifically to prevent the installation of bootkits. It works by checking that the boot code inside the MBR is on a pre-approved whitelist and is digitally signed before executing it. However, over the past year security researchers have found several vulnerabilities in UEFI implementations used by many computer manufacturers that can be exploited from inside the OS to disable Secure Boot. Mitre security researcher Corey Kallenberg estimates that Secure Boot can be bypassed on about half of the computers that have the feature enabled. According to Kallenberg, OEMs have started to pay a lot more attention to BIOS security research and have started to react over the past year. "I think we're finally at a place where you'll see OEMs take this more seriously."
The company ESET, based in Slovakia, has announced finding the first-ever UEFI rootkit in the wild. Once infected with the malware the only option is to reflash the SPI firmware or else replace the whole motherboard.
First spotted in early 2017, LoJax is a trojaned version of a popular legitimate LoJack laptop anti-theft software from Absolute Software, which installs its agent into the system's BIOS to survive OS re-installation or drive replacement and notifies device owner of its location in case the laptop gets stolen.
According to researchers, the hackers slightly modified the LoJack software to gain its ability to overwrite UEFI module and changed the background process that communicates with Absolute Software's server to report to Fancy Bear's C&C servers.
UEFI is an overly complex replacement for BIOS, and is often conflated with one of its payloads, Restricted Boot aka Secure Boot.
Red Hat and CentOS systems aren’t booting due to BootHole patches:
Early this morning, an urgent bug showed up at Red Hat's bugzilla bug tracker—a user discovered that the RHSA_2020:3216 grub2 security update and RHSA-2020:3218 kernel security update rendered an RHEL 8.2 system unbootable.
[...] The patches were intended to close a newly discovered vulnerability in the GRUB2 boot manager called BootHole.
[...] Unfortunately, Red Hat's patch to GRUB2 and the kernel, once applied, are leaving patched systems unbootable. The issue is confirmed to affect RHEL 7.8 and RHEL 8.2, and it may affect RHEL 8.1 and 7.9 as well. RHEL-derivative distribution CentOS is also affected.
Red Hat is currently advising users not to apply the GRUB2 security patches (RHSA-2020:3216 or RHSA-2020:3217) until these issues have been resolved.
Ubuntu and Debian are also apparently affected.
https://mjg59.dreamwidth.org/60248.html
After I mentioned that Lenovo are now shipping laptops that only boot Windows by default, a few people pointed to a Lenovo document that says:
"Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default."
"Secured-core" is a term used to describe machines that meet a certain set of Microsoft requirements around firmware security, and by and large it's a good thing - devices that meet these requirements are resilient against a whole bunch of potential attacks in the early boot process. But unfortunately the 2022 requirements don't seem to be publicly available, so it's difficult to know what's being asked for and why. But first, some background.
[...] Given the association with the secured-core requirements, this is presumably a security decision of some kind. Unfortunately, we have no real idea what this security decision is intended to protect against. The most likely scenario is concerns about the (in)security of binaries signed with the third-party signing key - there are some legitimate concerns here, but I'm going to cover why I don't think they're terribly realistic.
The first point is that, from a boot security perspective, a signed bootloader that will happily boot unsigned code kind of defeats the point. Kaspersky did it anyway. The second is that even a signed bootloader that is intended to only boot signed code may run into issues in the event of security vulnerabilities - the Boothole vulnerabilities are an example of this, covering multiple issues in GRUB that could allow for arbitrary code execution and potential loading of untrusted code.
(Score: 2) by Opportunist on Sunday October 09, @06:17PM
The Cyberpunk P&P RPG listed a few decks that were prohibitively expensive, which was kinda odd when you think that computers in general were dirt cheap.
Not it starts to make sense. The decks are the pieces that can actually run the kind of software you want, instead of being locked down to doing their master's bidding. Cyberpunk 2020 finally becomes real, just a few years late.
(Score: 2) by Rosco P. Coltrane on Sunday October 09, @06:19PM
The author is outraged at Microsoft's play to take control of personal computers, but probably owns a cellphone that is his, yet is entirely under the control of a creepy giant big data company hell-bent on extracting as much data as possible from everybody on Earth, and has been for a decade and a half now.
Why isn't he outraged about that too uh?
Cuz I sure am. I've been hopping mad since those goddamn devices appeared on the scene. And for some odd reason, nobody seems to bat an eyelid over the astonishingly frightening level of control Google and Apple have over the mobile computer of essentially everybody on the planet, that hold's a goodly portion of everybody most private data, and that is increasingly impossible to live without.
How nobody is scared to death and outraged over this, and why no government seems to be reacting even a little bit is totally beyond me.
Microsoft controlling PCs... Yeah. But please go after Google and Apple first. Because THEY are much more dangerous and they're already completely entrenched.