EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

02.27.13

Microsoft Much Worse Than Proprietary With ‘Secure Boot’ Scam, Pretends to be ‘Open’

Posted in Free/Libre Software, Microsoft at 1:50 pm by Dr. Roy Schestowitz

Emergency phone

Summary: Some of Microsoft’s latest technical attacks on Linux and some responses to EEE (embrace, extend, extinguish) tactics and FUD

Torvalds clearly refuses to give up by putting blobs and keys (similar to but worse than firmware) by adding Microsoft interfaces for Microsoft-signed keys inside the kernel, especially if these are Microsoft’s. This is major news that got the attention of journalists and a known Microsoft booster incites against Torvalds over this (just see headline and image here). Red Hat has been getting close to Microsoft again, so as one blogger put it:

  • Linus Bites RedHat

    It’s great that Linus does not support the idea of making M$ the keeper of the keys. We’ve had enough of that in IT for decades. Free Software needs to remain free of M$ and anyone else who wishes to lock out competition. Linus is not a great lover of FLOSS. His views are based on practicality. It’s stupid to lock Linux into M$. Does RedHat really believe it’s a great thing if millions of GNU/Linux boxes quit booting if M$ revokes a key via firmware upgrade etc.? Do they really think “secure boot” is about security of the world’s IT rather than perpetuation of M$’s monopoly on legacy x86 stuff? Using the damned keys to induce the world to take another step on the Wintel treadmill is just too tempting a fruit to trust M$ to leave it alone.

  • Closed !== Open

    I don’t think so. In the immortal words of Paul Maritz, “* to combat Nscp. we have to have position the browser as “going away” and do deeper integration on Windows. The stronger way to communicate this is to have a “new release“ of windows and make a big deal out of it. We will thus position Memphis as “Windows 98′. * IE integration will be most compelling feature of Memphis.“ Nathan Myhrvold wrote, “I think that it is CRUCIAL to make the statement we ask people about in the survey, or the statement we ask them to sign etc. is worded properly. Saying “put the browser in the OS” is already a statement that is prejudical to us. The name “Browser” suggests a separate thing. I would NOT phrase the survey. or other things only in terms of “put the browser in the 0S’‘. Instead you need to ask a more neutral question about how Internet technology needs to merge with local computing. I have been pretty successful in trying this on various joumalists and industry people.“ To sum up, is the company that brought waves of malware to the world of IT by integrating a totally insecure web browser with their OS in order to mess with competitors to be trusted as “open”? No. M$ is a closed corporation with closed products intending to close out competition by fair means or foul. Pretending to be open is just a means to delay the shift to real openness, FLOSS, or to slow that shift.

Even more Microsoft-apologetic circles accepted Torvalds’ skepticism. To quote one:

As it turned out, almost all of the Windows 8 machines that first appeared had Secure Boot implemented in such a way that Linux was locked out. Workarounds have appeared, but they are based on Microsoft-signed keys. As the maker of the dominant Windows operating system, Microsoft has a responsibility to protect fair play in a way that it didn’t here. In this day of virtualization and usage of multiple operating systems, it’s unfair to build an operating system around a methodology that allows for complete and utter lockout of other platforms. Torvalds’ reactions are only protests at the end of the chain reaction that all of this represented. The fact is that if Microsoft wants to be accepted as playing more fairly with open source these days than it ever has, it has carry that concept through to how it deals with everything it builds and how it deals with hardware makers.

Microsoft pretends to be open, but it’s not working. Here is another new embrace-and-extend attempt:

The expanded partnership between Microsoft and Hadoop distribution specialist Hortonworks has borne fruit with the release of a beta of Hortonworks’ Hadoop Data Platform for Windows.

With its hidden patches and a deal with Sourcefire Microsoft must have hoped to diss Linux some more. Watch this nonsense:

But simple vulnerability counts can give a distorted view. The Linux kernel is considered to be one monolithic project across the entire period, for example, while every version of Windows is a separate project. The total count of vulnerabilities for all Windows versions exceeds Linux. But then Windows is more than just a kernel. Add in all the software included in Linux distributions, and Linux goes back into the doghouse. Younan counted just the high-severity vulnerabilities, those with a Common Vulnerability Scoring System (CVSS) score of 7 or higher. Windows XP tops that list. “Windows Vista is at the number five position, even though Microsoft put a lot of effort into securing Windows Vista,” he said. “The Linux kernel isn’t even in the top ten.” Vista was the first version of Windows to benefit from Microsoft’s Security Development Lifecycle (SDL), the software development process created after Bill Gates’ Trustworthy Computing memo of January 2002. Yet from the vulnerability perspective, Vista looks like little more than a rough draft of Windows 7. Counting high-severity vulnerabilities alone, Flash Player is back in the top 10, at number five. The count of high-severity vulnerabilities doesn’t exhibit that 2012 uptick, only the steady post-2006 decline. However when looking at just critical vulnerabilities, those with a CVSS of 10, there’s no sign of a decline at all.

What silly way to count vulnerabilities. As one of the many comments points out: “I largely agree with Alex in Comment 3 (I also agree with Myth in Comment 1 that 22 != 25, but I digress). Without knowing which kernels had which CVEs reported against it, and which distros shipped with those kernels and how many people used the vulnerable kernel and the averages of people updating on install… ‘simply’ citing the Linux CVEs are practically meaningless.” The FUD against Linux recently seems like part of a trend this month, with Microsoft partners behind it.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

4 Comments

  1. mjg59 said,

    February 27, 2013 at 2:57 pm

    Gravatar

    The patches in question do not include any blobs or keys. You should correct your first paragraph.

    Dr. Roy Schestowitz Reply:

    “The way we have come up with to get around this is to embed an X.509 certificate containing the key in a section called “.keylist” in an EFI PE binary and then get the binary signed by Microsoft. The key can then be passed to the kernel by passing the signed binary” -David Howells at LKML

    mjg59 Reply:

    Yes. It adds an additional keyloading interface to the kernel, alongside the keyloading interface that already exists. The only thing it changes is that it allows you to use a different key format. It adds no keys or blobs to the kernel.

    Dr. Roy Schestowitz Reply:

    I’ll amend the post.

What Else is New


  1. Links 28/4/2015: More on Debian 8 “Jessie”, Fedora 22 Beta Walkthrough

    Links for the day



  2. Microsoft is Attacking Android Like Never Before, Qisda the Latest to Sign Patent Extortion Deal

    More blackmail and propaganda against Android, courtesy of the gentler, kinder, 'new' Microsoft



  3. Caution Needed When Microsoft Copywriters Flood the Media With Microsoft Propaganda

    Media actively subverted by Microsoft-sponsored agents of deception, whose goal is to change what people think of Microsoft and its software, even if by lying (they call it 'marketing')



  4. Gartner Staff That Worked for Microsoft and the Latest Nonsense from Gartner or 'Former' Staff

    Gartner waited until 2015 to declare FOSS fit for databases; another example spotted where Gartner staff comes from Microsoft or vice versa



  5. Links 27/4/2015: Debian 9 Named, Linux 4.1 Reaches RC

    Links for the day



  6. Microsoft is Interjecting Itself Into GNU/Linux and Free Software News, Even Events and Foundations

    Microsoft's entryism strategy is proving effective as Microsoft successfully embeds itself inside the idealogical competition, subverting the competition's overall message and diluting the competition's focus on Free software



  7. The Unethical Business of Selling Fear of Free/Libre Software Bugs (Black Duck, Sonatype, and Symantec)

    The spreading of fear of Free/Open Source software (FOSS) is now a growth industry, so proprietary opportunists are eager to capitalise on it, even if by distorting the truth



  8. Patients' Data at Risk as NHS Reinforces Its Microsoft/Accenture Stockholm Syndrome

    The worst privacy violator in the world and the firm behind LSE failures are pocketing as much as £0.35 billion of British taxpayers' money to acquire access to very sensitive data of British people



  9. Links 26/4/2015: Debian 8, OpenMandriva Lx 3 Alpha, Mageia 5 RC

    Links for the day



  10. Links 25/4/2015: Debian LTS Plans, Turing Phone Runs Linux

    Links for the day



  11. Who Kills Yahoo? It's Microsoft, Not Yahoo!

    The media should blame Microsoft, not Marissa Mayer, for what's going on (and has been going on for 7 years) at Yahoo!



  12. EPO Management is Trying Hard to Appease Its Critics While Pushing Forth Unitary Patent Agenda

    The European Patent Office and European Commission promote the agenda of large multinational corporations (at the expense or European citizens) and critics are being kept at bay



  13. Real Patent Reform Will Not Come From Biggest Backers of GNU/Linux, Not Even Google

    A look at the 'new' Google, the company which is hoarding patents (2,566 last year alone) instead of fighting for reform



  14. Microsoft's Troll Intellectual Ventures Loses Software Patents

    Intellectual Ventures is bluffing with software patents, but this time around it doesn't get its way



  15. Links 24/4/2015: Ubuntu and Variants in the News, Red Hat Developer Toolset 3.1

    Links for the day



  16. Links 23/4/2015: Ubuntu 15.04 is Out, Debian 8.0 Out Very Soon

    Links for the day



  17. Links 22/4/2015: Fedora 22 Beta, Atlassian Acquires BlueJimp

    Links for the day



  18. The Dying Debate Over Patent Scope (Including Software Patents) Replaced by 'Trolls' (But Not the Biggest Ones)

    The corporate media and Web sites or people who are funded by large corporations have essentially suppressed any debate about issues in the patent granting process, thereby guarding software patents and preventing criticism of large corporations' power grab



  19. The Patents Gold Rush Continues

    The morbid obsession with monopolising mere ideas still dominates the media, even increasingly in China



  20. 9 Millionth US Patent Tells a Story of Failure and USPTO Misconduct

    The USPTO, much like FISA (notorious court for surveillance/espionage authorisation), has become a rubber-stamping operation rather than a patents examination centre, as new evidence and old evidence serve to show



  21. HBO Helps Shift Debate Over Patents to 'Trolls' (Scale), Not Scope

    More of that awkward shifting of the patent debate towards small actors who are misusing patents, not large conglomerates like Apple and Microsoft which use patents to destroy competitors, crush startups, drive up prices, and so on



  22. Software Patents Are Still Menacing to Free Software: OIN Expands Scope, HEVC Adds to MPEG-LA Burden/Tax, Google and Facebook Give in on Patents

    A look at recent news about software patents and especially Free/libre software, which is inherently incompatible with them



  23. The Latest Developments Around Microsoft's Clever Attack on Android/Linux

    Microsoft's campaign of destruction, extortion, etc. against the most widely used Linux-powered operating system is revisited in light of new reports



  24. The Microsoft 'Community' is Maligning the Free Software Community

    Dishonest generalisations and baseless deductions portray the Free/Open Source software communities as a nasty place that leads to poverty and despair



  25. Googlebombing 'Microsoft Open Source' Even When Microsoft Shuts Down Its 'Open Source' Proxy

    A massive failure by the press to cover the most basic news, which is Microsoft putting an end to a supposedly 'Open Source' effort



  26. Links 22/4/2015: Calculate Linux 14.16, SparkyLinux 4.0 RC KDE

    Links for the day



  27. Links 21/4/2015: Project Photon, Ubuntu Touch Buzz

    Links for the day



  28. Embrace, Extend, Extinguish: How Microsoft Plans to Get Rid of Linux/Android

    Microsoft's sheer abuse against Android is laying bare for everyone to see now that Microsoft has paralysed Google's legal department with potential antitrust action in Europe



  29. Yahoo's Current CEO (Mayer, Formerly of Google) is Trying to End Yahoo! Status as Microsoft Proxy

    There are signs of relinquishing Microsoft's control over Yahoo! after Marissa Mayer worked to end the company's suicidal/abusive relationship with Steve Ballmer's Microsoft



  30. Repeating Microsoft's Lies Without Any Journalistic Assessment

    Poor fact-checking by relatively large media/news sites results in Microsoft's patently false claims being repeated uncritically


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts