[Mageia-discuss] FSF anf UEFI SecureBoot

[AL13N]

Op maandag 31 december 2012 15:53:51 schreef Ludovic V Meyer:
> 2012/12/30 AL13N <alien at rmail.be>
> 
> > Op zondag 30 december 2012 21:17:38 schreef Ludovic V Meyer:
> > > Except it does let 3rd parties OS boot, at least on X86, since the norm
> > > mandate it.
> > > And for arm tablet, no one reacted when Apple, Acer, Samsung, Archos and
> > > lots of others locked down their devices, so trying to argue that we now
> > > expect them to be open would not work.
> > 
> > actually, they didn't. you can root each of those iinm.
> 
> Using 3rd exploit is not really what I call open, they are not supported,
> likely against DMCA most of the time, and IMHO not reliable.
> Not to mention that it requires a manual intervention on each device. If we
> take the example of Apple, they closed every hole after a while when it was
> practical to do,and used the existing leagal way to prevent them ( see in
> 2009,
> the update of the developper agreement ). And since I know you will surely
> talk of if, the DCMA ruling for jailbreaking is just for phone, because
> unlike France, telcos in USA do not have to unlock your phone after a few
> months.
> 
> Not to mention that afaik, despites them being "not closed" by your
> definition, stuff like Iphonelinux are all dead in the water.
> Cyanogenmod only exist because from time to time, Google do a code drop,
> and they still suffer from needing a custom fork of the kernel.
> 
> So if the goal is "to be able to run what I want on my device", that's
> something that can already be done for applications. What people should say
> is "running what I want provided no money directly leave my pocket, but I
> do not mind spending days figuring how to do it, cause I prefer spend 1
> week than giving 100 bucks".

whatever you purchase, it's yours and you can do with it whatever you like for 
whatever purpose, as long as you're not using it to harm people, other 
property or violate laws (but even then, only these laws are violated, not the 
fact that you use something for another purpose.

in fact, this means they are restricting you for using your property in 
whatever way you see fit.

> this is about having a secure key hardcoded "burned" in the device, which is
> > both stupid and annoying. because since apps need to be secured too, too
> > many
> > people have access to the root key. which means the chance of leak is
> > higher.
> > which means that your devices need to be thrown out when the rootkey is
> > compromised or when it's deemed obsolete and a new key will be in place.
> 
> The key is handled by Verisign, and since that's their jobs since around 18
> years, I think they are qualified to do it.
> How many time in 18 years was the root cert of Verisign be compromised ?

Are we talking about the same key here? i do find it odd that verisign would be 
handling the microsoft key. Who actually has the decision power here?

> Also, you are totally wrong about throwing the device if the key is leaked.
> This happened to the PS3 due to the world-record breaking ignorance of Sony
> ( or one sub contractor ), and AFAIK, the PS3 all around the world still
> work ( and also, no one formally complained about gaming consoles being
> closed, despite some of them just being powerful PCs ). The same goes for
> various phones/tablet who have been broken this way ( like the Asus
> transformer, AFAIK ).
> 
> Burning a key in silicium is what Apple have been doing since a long time.
> That's also the modus operandi of TPM modules. They are used by several
> banking institutions as a way to make sure the harddrive is protected with
> bitlocker ( cause you do not want your highest executive laptops to be
> stolen and that this cause privacy and security issues ). IE, that is
> viewed as sufficient for FIPS certification and usage for military grade or
> banking grade security. And I am pretty sure the private key is stored in
> some HSM like the nShield solo or similar device.
> 
> Not everybody work like your client ( the one we talked about yesterday on
> IRC, if I am not wrong ). Some people take security seriously, and check
> what happens. But that's not security of the root key that matter, since no
> one ever asked for public scrutiny or a independent audit.
> 
> the thing here is that since you buy a device, it's yours and you can do
> 
> > what
> > you want with it. why would you give other parties control over your
> > device?
> > it's stupid. there needs to be a way as an owner to decide which root keys
> > you
> > trust or not.
> 
> You do not give control to another party, you delegate trust handling to
> another party.
> That's exactly what you do with a browser. Or your bank, or anything in
> life.

but you can still choose who you trust.

> Again, the norm mandate to be able to disable secureboot on x86 and to
> choose the key. The whole petition is about those that do not follow the
> norm, and for those, the incentive was to not being Windows 8 certified. So
> as annoying this will be, that's the best way to find something that let
> you run Linux.
> 
> > > And regarding using consumer protection channels, no one did anything to
> > > make anything move since one year despite being widely publicized on
> > > various blogs, so how is your proposal different ?
> > > 
> > > Talk is cheap, if every people who proposed that ( for example, on
> > 
> > slashdot
> > 
> > > or various foras where nerds are discussing ), someone would have
> > > started
> > > the work by the time. No one did, and that's because everybody that
> > > would
> > > be serious enough know this is built on wrong assumptions.
> > 
> > in the end talk is cheap and noone does anything about it. or rather
> > instead
> > of working together, all the companies who back the major linuxes decide
> > to go
> > down the easy route. (like subscribing into the microsoft program and
> > using
> > their root key...)
> 
> All plans that requires someone else to do anything is just a way to blame
> failure to someone else. If you delegate all your action to someone else,
> you lose the right to complain about this group not doing what you want.
> Only delusional fools would believe otherwise.
> 
> In fact, hardware not working on Linux is a decades old problem. We all
> have seen how boycott worked so well to have more hardware supported on
> linux, and how people happily trade freedom for convenience ( like nvidia
> drivers, printers, etc, etc ). People should just do a reality check from
> time to time before proposing the same plan again and again. Last time I
> checked, humans didn't evolve from goldfish, so maybe we could stop acting
> like them.