The UEFI 9/11 - Part VIII - Denial of Service and Selling Us WSL (Windows) Instead of "Risky" (Prone by Breakage by Microsoft) GNU/Linux
Yesterday: Nobody Denies That SecureBoot Will Cause Problems After September 11
It's almost Monday where we are, so we've decided to release Monday's part a little bit earlier than originally planned (nothing set in stone, except September 11 - a date envisioned by the issuer, not us).
But first, a little background: In Part I we introduced the issues in simple terms, in Part II we focused on the attacks on people who merely talked about these issues, Part III primarily tied things together, Part IV named some of the culprits, and Part V advised people to turn off "SecureBoot" (also in the sister site now that we're in September; live and learn). Part VI spoke of the "Serious Harm" that will be caused to many ordinary computer users and Part VII said that the event is only days away.
Less than an hour ago we recalled what happened last summer because a reader asked us about it. Many people already turn off "SecureBoot" (enabled by default), which is a good thing.
Restricted Boot (so-called 'SecureBoot') does not improve security. It is nothing but trouble. It's meant to trouble non-Windows users. In dual-boot setups, SecureBoot is a recipe for disaster because Microsoft keeps erasing or tampering with the boot sector, to paraphrase an associate. Some readers tell us the same, based on personal experience (at any time Microsoft will turn off the dual boot function for many people or intentionally break it; there's a long history to that effect - it's empirical, not hypothetical).
The appeasers who said dual-boot would be good enough (or those who sell WSL instead of GNU/Linux, i.e. selling Windows and calling it "Linux") aren't friends. They might consider themselves friends, but they leave you under the control of Microsoft, which is definitely unfriendly.
We're reminded that OpenBSD got around it by telling people to put a second hard drive or SSD (external or internal) for UNIX-like operating systems, hence restricting Microsoft's access to anything other than Windows.
That generally became easier in recent years with newer PCs; they now have two slots in them, or so we've heard, and therein - in a certain, not so high - price range it's possible to add a second physical 'drive'.
What Microsoft did with the certificates is a premeditated "low burn", applied at a very low level where 'fixing' things is hard or nearly impossible for most users. It's not like software repos having an outdated certificate, in which can you cannot retrieve new software (from those particular repos). This is about whether your system will boot at all (or NOT). It adds up in the form of anxiety and uncertainty. Remember AARD. And "not a day after the commit," an associate said, "everything broke... sitting there smoldering for over a year."
This is why we keep comparing it to a time bomb or a submarine waiting to emerge.
There's a simple fix (which would work on most PCs): disable so-called 'SecureBoot'. Never turn that darn thing on. You don't need it, that can only harm security.
There are Microsofters who say, "just use WSL". They probably want people to forget the time Microsoft bricked WSL, denying users access to their pseudo-Linux for nearly a week until Microsoft finally 'fixed' it via Windows Update. Being locked out of one's system (and files) for nearly a week isn't an option for most people. █