10.25.22

Gemini version available ♊︎

GNU/Linux Users Infuriated by Microsoft’s Lennart Poettering Attacking Linux Freedom

Posted in Deception, GNU/Linux, Kernel, Microsoft at 7:45 pm by Dr. Roy Schestowitz

Related: Microsoft is Trying to Hire (Read: Pay Salaries to) Matthew Garrett

Did you join Microsoft to attack Linux?

Summary: Microsoft’s Lennart Poettering didn’t take long to show his true colours… (and agenda)

AS just noted in Daily Links (or here), Lennart Poettering is being bossed by the NSA’s foremost tentacle (Microsoft) and he acts accordingly. He says “I would go as far as saying that SecureBoot on Linux distributions is mostly security theater at this point, if you so will.” (It is in general the case, not just in Linux)

But he wishes to go further with the security theater.

Although LWN lacks comments on this matter and Phoronix is, as usual, just Microsoft-friendly fluff these days, we need to examine comments in Phoronix. Here are some:

And of course, the UKI must include systemd, that will take over as a UEFI payload and control everything in the system!

Responding to the above:

Next year’s new systemd plugin, same old story.

More:

Great. Some of the reasons I can’t stand Windows.

How about no, especially if it makes it harder to build your own kernels or to make changes to the initrd

Responding to the above:

That’s the fly in the ointment. The whole trusted boot and execution system requires end users to be able to load their own keys into the UEFI boot key store. Not all hardware allows that. For that matter not all PC hardware even allows for it. The only way this works is if there’s some way to require OEMs to allow third party keys other than those signed by a megacorp. Apple and Microsoft will fight that with every dirty trick, lawsuit, and just plain underhandedness they can – and not enough users will even notice to bother to protest – so it’s unlikely there would be any effective regulatory process to stop it. Think of the kids. Think of the corporate bottom lines. Think of national security. Think of…

To which the reply was:

That is not enough — if there is a way to enroll user keys, evil maid can use it to inject her own. There are some solutions, but they are super complex in comparison to just fuse corpo-keys. Anyhow, all this requires user to fully trust the motherboard firmware, which is not verifiable.

More:

No, thanks. I’ll opt to continue configuring and building my kernels (and initramfs) locally. Unsigned, very true. Trusted by …. me
And yes, running an OpenRC system here.

Bureaucracy has arrived at Linux. Every bit needs a form and a signature before it can be flipped.

This is ridiculious. Securtity has nothing to do with signing if there is not trust in that chain.
You must trust the parties involved in signing – and in case of Microsoft one would be crazy to trust it (we got lots of proofs).
All those pseudo security features made the computers much less trust worthy – using minix to spy on users (Intel) – the stupid
boot signatures which are more for making GNU/Linux more inconvenient or broken than making anything more secure.
And the big binary monster of systemd may be nice to improve boot time and avoid race conditions, but the killing of processes
and other things configuered in disguise does not make the situation better but much worse.
Trust comes if you understand your system – and if other use reasonable defaults.
Init scripts were easy – systemd is a monster in comparison.
So while not against a trusted boot process in general, the authority must be trustworthy – and I am not aware of anything
which would provide the necessary level of trust.
And if big companies are involved it comes with a necessity of matching agendas – and not concerning security but more to the contrary.
So this is just a Trojan Horse … and a realy obvious one.

Bureaucracy came to Linux decades ago.

No, it was optional and so has not arrived, but was only lurking in the shadow. A bit like you.

The way I see it is this corporate FUD – the type of features corporations create when they have become too large to fail, and need to trick customers to get them to believe they need something they do not. And who is he working for now? Right, Microsoft … I did not need a secure boot process in 25 years and I did not need Microsoft, and this is not going to change.

And?
It’s generated locally which makes it 1000 time more trusted than being generated remotely by who knows on what server run by who knows who!
Why the fuck would I want it to be built and signed by someone who I don’t know and trust?
Lennart, get lost with your Microsoft infested ideas that can only think on how to infest more computers with its spyware!
From all the employers you couldn’t work for another one?
I’m starting to feel more and more disgusted about this attitude and thinking that we are so stupid to want thing built by somebody else, especially by Microsoft!

Reply:

If it’s reproducible, it kinda doesn’t matter who signs it. If it also makes it 1000x harder for anyone to sign images that aren’t reproducible, then most end-users have avoided plethora of attacks – quite unattainable for malware makers and most bad actors.

I’m starting to feel more and more annoyed how I can’t give regular people an hardened Linux setup resistant to most ab- and misuse. All because of some pointless feet-dragging all while the actual threats to computing freedom fly past unnoticed.

More:

You are simply not save from mega corporations. They will try to cash in on every bit of fear, uncertainty and doubt you may have. They want you to need them and to buy from them. First they tell you it is ‘locally generated’, then it is ‘generated’, and then to best buy it from them for a price…

Uhu, so we all need to pay someone else to give us a f* rng nft: “hey daddy, can you please sign my initrd?, here are some bucks for your efforts”, to use whenever it actually matters because, yes, I bet everyone would be able to sign their own stuff, but of course, we would need certified signatures from some megacorp *cough, Microsoft, cough* to use our own things anywhere outside our home lab.

We have seen this sh* with secure boot or web certificates to name two from the top of my mind; good intentions on paper, implementation faulted by design to maximize profit for a selected few.

I have not lost time or work to an attack which would be hindered by secure boot and don’t know anyone else who has either. I have repaired and recovered data from computers for myself and others by booting external media of my own contrivance. I gain substantial benefit from external media Linux installations where my usb stick or SSD carries a useful environment to most any machine.

I see zero benefit, only pain as the boot process gets locked down like a cell phone, game console or Windows. It is about security, not user security, not my security, not your security. Who is Lennart working for now? Who is putting up the money? There is a good place to start looking.

“How on earth that now would work” you say… So you do not know and have got no idea. At least are you not hiding your ignorance. You must think all this encryption can be disabled or worked around easily. It is like you expect nightclubs to have two entrances, one with a bouncer and one without, where you can choose one or the other in case the bouncer does not let you in. You seem to be missing the basic principle here. It has to be mandatory at every link and layer, or it will be as weak as the weakest point. So it is either a useless feature or a guaranteed source of trouble for admins and anyone who wants their freedom.

Seems like this is the biggest problem: Asshole vendors that don’t allow the user to sign their own shit. Funny how the whole “Trust” issue requires me to trust corporations who have done the wrong things in the past that hire people I’ve never met and vetted that run closed source code that isn’t audited or vetted by a greater community at large.

Am I the weird one for thinking that I don’t like being forced to trust them and that it’s fucked up that I’m not allowed to trust myself or those that I deem trustworthy? I feel like the phrase “Protect and Serve” comes to mind.

Since you’re at Microsoft, how about getting them to flex their muscles into strong-arming vendors and BIOS makers into making a method that allows the user to add their own keys so the initrd can be added to the secure chain and mitigate all the systmed madness…Or have you taken too many Soma Tabs, Linus.

Systemd is great, but it doesn’t have to be the solution to every problem. It can be A solution, but it sucks when it’s THE solution.

Ah yes, another dubious “security feature” that is just another thinly veiled excuse for big corpos to control the open source ecosystem.

Never forget “Embrace, extend, and extinguish”!

Is Lennart Poettering the Klaus Schwab of linux world? Honest question.

There will be more to come for sure. Maybe even a bunch of Microsoft AstroTurfers.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. IRC Proceedings: Tuesday, February 07, 2023

    IRC logs for Tuesday, February 07, 2023



  2. When the Pension Vanishes

    Today we commenced a multi-part mini-series about pensions and what happens when they suddenly vanish and nobody is willing to explain where all the money went



  3. Sirius 'Open Source' Pensiongate: An Introduction

    The Sirius ‘Open Source’ series continues in the form of a mini-series about pensions; it’s part of an ongoing investigation of a deep mystery that impacts people who left the company quite a long time ago and some of the lessons herein are applicable to any worker with a pension (at times of financial uncertainties)



  4. Links 07/02/2023: Endless OS 5.0 and Voice.AI GPL Violations

    Links for the day



  5. No Doubt Microsoft Unleashed Another 'Tay', Spreading Bigotry Under the Guise of Hey Hi (AI)

    Reprinted with permission from Ryan



  6. Links 07/02/2023: Fedora 39 Development Plans Outlines

    Links for the day



  7. IRC Proceedings: Monday, February 06, 2023

    IRC logs for Monday, February 06, 2023



  8. Links 06/02/2023: Escuelas Linux 8.0 and Many Political Issues

    Links for the day



  9. Links 06/02/2023: Sparky 6.6 and IPFire 2.27 – Core Update 173

    Links for the day



  10. Taking Back Control or Seizing Autonomy Over the News Cycle (Informing People, Culling the Marketing)





  11. Reality Versus Fiction: EPO Insiders Versus EPO Web Site and UPC 'Churnalists'

    The "official" sources of the European Patent Office (EPO), as well as the sedated "media" that the EPO is bribing for further bias, cannot tell the truth about this very large institution; for proper examination of Europe's largest patent office one must pursue the interpretation by longtime veterans and insiders, who are increasingly upset and abused (they're being pressured to grant patents in violation of the charter of the EPO)



  12. Links 06/02/2023: Linux 6.2 RC7 and Fatal Earthquake

    Links for the day



  13. IRC Proceedings: Sunday, February 05, 2023

    IRC logs for Sunday, February 05, 2023



  14. Links 05/02/2023: Wayland in Bookworm and xvidtune 1.0.4

    Links for the day



  15. Links 05/02/2023: Pakistan Blocks Wikipedia, Musharraf Dies

    Links for the day



  16. IRC Proceedings: Saturday, February 04, 2023

    IRC logs for Saturday, February 04, 2023



  17. Links 04/02/2023: FOSDEM Happening and Ken Thompson in SoCal Linux Expo

    Links for the day



  18. 2023 is the Year Taxpayers' Money Goes to War and Energy Subsidies, Not Tech

    Now that a lot of powerful and omnipresent ‘tech’ (spying and policing) companies are rotting away we have golden opportunities to bring about positive change and maybe even recruit technical people for good causes



  19. Getting Back to Productive Computer Systems Would Benefit Public Health and Not Just Boost Productivity

    “Smartphoneshame” (shaming an unhealthy culture of obsession with “apps”) would potentially bring about a better, more sociable society with fewer mental health crises and higher productivity levels



  20. Links 04/02/2023: This Week in KDE and Many More Tech Layoffs

    Links for the day



  21. Dotcom Boom and Bust, Round 2

    The age of technology giants/monopolies devouring everything or military-funded (i.e. taxpayers-subsidised) surveillance/censorship tentacles, in effect privatised eyes of the state, may be ending; the United States can barely sustain that anymore and raising the debt ceiling won't solve that (buying time isn't the solution)



  22. Society Would Benefit From a Smartphoneshame Movement

    In a society plagued by blackmail, surveillance and frivolous lawsuits it is important to reconsider the notion of “smart” phone ownership; these devices give potentially authoritarian companies and governments far too much power over people (in the EU they want to introduce new legislation that would, in effect, ban Free software if it enables true privacy)



  23. IRC Proceedings: Friday, February 03, 2023

    IRC logs for Friday, February 03, 2023



  24. IRC Proceedings: Thursday, February 02, 2023

    IRC logs for Thursday, February 02, 2023



  25. Links 03/02/2023: Proton 7.0-6 Released, ScummVM 2.7 Testing

    Links for the day



  26. Links 03/02/2023: OpenSSH 9.2 and OBS Studio 29.0.1

    Links for the day



  27. Links 03/02/2023: GNU C Library 2.37

    Links for the day



  28. Sirius Finished

    Yesterday I was sent a letter approving my resignation from Sirius ‘Open Source’, two months after I had already announced that I was resigning with immediate effect; they sent an identical letter to my wife (this time, unlike before, they remembered to also change the names!!)



  29. The Collapse of Sirius in a Nutshell: How to Identify the Symptoms and Decide When to Leave

    Sirius is finished, but it's important to share the lessons learned with other people; there might be other "pretenders" out there and they need to be abandoned



  30. Links 03/02/2023: WINE 8.1 and RapidDisk 9.0.0

    Links for the day


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts