Posts by h4rm0ny

Re: I love W3C

"The ad men responded with; "We'll ignore DNT information from IE10.".

Actually the person who said that was a lean engineer at the Apache Foundation who unilaterally put in an unapproved patch to do that right before a major release and was roundly slapped by his fellow team members. IIRC, the revert comment said something like 'don't stick your politics into the code'. The commit actually worked below the web application level interfering with the actual HTTP header information.

The ad agencies actually were fine with having it buried in the browser settings. They know there's a coming storm with privacy and the original DNT would have let them say that people were voluntarily accepting the tracking whilst knowing that hardly anyone would trek through three layers of menus to turn it off. When MS were going to enable it by default, they actually changed the spec to disallow it, but MS found a way around that by including it in the default choices on browser setup.

So I see why it seems odd that MS are on this panel. But we really don't know what their position was in the meetings. Maybe they just feel they can have more influence from inside than from out.

Re: WebGL

Conceptually it is a security nightmare. That was always the given reason by Microsoft for not implementing it.

Re: Mostly Boredom

"I love the way James Bond breaks into the villain's office at night and the first thing he pulls out of the filing cabinet is the Master Plan. Dgeez, it takes me half an hour to find anything in my *own* filing cabinet."

I agree with your post overall, but I can't help thinking that any evil genius would probably be a lot more organized than us.

I mean, if you walked into an office, what would scream "Evil" at you more than a tidy desk? It's just wrong.

Re: Quick Noob Q.

it is possible it might have some secret option to be turned on/off within the EFI interface, before you can do just that.

The UEFI standard is just that - a documented standard shared created by a large range of big hardware players from AMD to Apple to Intel to Lenovo. There wont be "secret options" to turn on Secure Boot against the user's will. There's no such option in UEFI and no-one wants to fake a UEFI system.

Eadon logic dictates that market share is all when it comes to windows phone. Applies different logic to desktop.

Ah, I see. It wasn't clear from your post that you were highlighting Eadon's double-standards, I thought you were taking an unwarranted shot at Linux. He really is hugely destructive to debate.

@spoddyhalfwit. Don't let Easdon provoke you into negative attacks. GNU/Linux has loads to offer. Windows is good too. These things are not mutually exclusive. Linux powers at least half of the Internet for a start. Not to mention the Linux kernel being a critical part of Android. If you like Windows (I do), then Linux was one of the best things that happened to security in Windows by pushing MS to compete against a better opponent ten years ago. It's not a war, even if posters like Eadon want to make it one. Chill.

Re: Ah, another patent encumbered format @JDX

This is always about software patents, not the code itself. OK, you write a nice implementation, your code should be protected, I totally agree. But the algorithm used should be open, so that someone can provide an alternative implementation

This is worth examining. The above would be correct if the effort and work producing this was on the coding side, but it is actually largely on the algorithm side. I haven't looked at the algorithm, but I am a C++ programmer (or I was for some years) and I have some background in mathematics. I'm not at all trivialising the work that goes into implementing this, but if I look at the algorithm, my educated guess is that it wouldn't be that hard for me to turn it into code, just a little time because I'm rusty. But could I come up with the algorithm? I doubt it. I understand the principles detailed in this article and I dare say I could follow a more detailed version too, but my maths simply is not good enough to have done what these people did and nor do I have the large amount of time and effort these people were paid to put in.

What I'm saying, is that your suggestion that the code is what needs protecting, that "ripping off" involves copying the code, mistakes where the effort takes place, and thus where the protection should occur.

If someone creates a computer game where I am a gun running round shooting aliens in first-person view, well that's a simple idea, but the code will be huge and complex. Thus copyright law prevents me just copying it and calling it mine. But I can freely make my own version. If someone creates a complex series of sophisticated algorithms for video encoding/decoding, then the idea is the complicated part, but the implementation will be (relatively) simple in that I'm just taking the maths and turning it into code (with some parallelization if I want it to be a [I]good[/I] implementation. Thus the latter case isn't looking to copyright law to ensure the creators are fairly recompensed, but to patent law.

As you said at one point, the problem is that it becomes a standard. There are only three ways out of that. Either

* An Open Source alternative is created that is as good as the proprietary one.

* Users pay a very small sum to licence it directly.

* Someone pays it on behalf of the users.

The first has not happened, unfortunately. That would be the ideal.

The second would probably be the fairest second option but it requires more prevalent and easy micro-payments amongst users, so it's a solution for five years down the road. Though you can do it with some success today, so I would advocate this one.

The third is all nice and lovely, isn't it. In practice, it probably means Google showering you with ads and mining your data as free services usually do. Though Ubuntu maybe has enough revenue that they will do this in their case, it doesn't help the rest of the distros.

What isn't an option, imo, is simply throwing out the patent protection and saying you can just give other people's efforts away for free. The licencing terms are actually already quite generous in that you can give it away a 100,000 times before it is an issue. But surely if you are making money from other people's work (and Ubuntu *is* a business, as are others), then surely those others should have a right to recompense. I mean I actually could legally roll my own h4rm0nix distribution (you heard the name first here) and legally distribute the codec with it up to a 100,000 times. That's pretty cool. But move to a large business like Ubuntu, it's a different story, imo.

Re: The bill sounds good

and Eadon would be right. It is obvious, even for the article's author, that bill is obviously aimed to whack out MS competition

The bill affects anyone (including Microsoft) that would collect data on school children in the course of their education. The author of this article should be ashamed of themselves for their poor journalism. All Google have to do to comply with this law is to not collect data on the school children. It's not a law to ban Google from classrooms. But it is aimed at Google. There's no contradiction between the two. Google are attempting to exchange schoolchildren's data for free tools. I agree that this is wrong. All that would happen is Google would have to either start charging for their services to education like other companies, or else grant it truly free.

Re: RE: Never ascribe to malice that which can adequately be explained by incompetence

"The proof of this will be in 3 to 5 years down the road, as corporate PC's get retired, and hit the resale market. How difficult will it be for a second owner to put whatever O/S on it remains to be seen"

Not sure what you think the difficulty would be. You don't need Microsoft's assistance or any of the original install keys or discs to replace the OS that is on there. You just go ahead and install what you want, turning off Secure Boot if need be. Secure Boot prevents malware from changing what can boot on a PC, not what a physically present user can install.

Re: Microsoft reason of doing this

"they also take the chance to earn money from Linux."

Do you really think Microsoft are motivated by a $US99 fee they get from RedHat or SuSE asking them to sign a bootloader? Because that's how much has been charged.

Re: Interesting approaches to monopoly

Just a bit more, in case the previous seems ambiguous without context, here is the following paragraph:

18. Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv."

Also, apologies if the last part of my previous post came across as hostile. It just seemed very strange that you would tell somone the word was "can" instead of "must". You made it sound like you had read the specification, when actually the OP has the wording right.

Re: Interesting approaches to monopoly

"...Actually, the word is "can", not "must". So long as SecureBoot is turned on *by default* with the MS key installed, the OEM is under no obligation to provide a method to turn it off for the HW to be approved by MS."

I don't know where you got that from. It's incorrect. Here is a link to MS's hardware certification requirements for Windows 8 PCs. LINK

From the section on Secure Boot (around page 118):

""17. Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:"

OEMs are absolutely under an obligation to allow users to disable Secure Boot to be turned off if they wish to comply to with MS's terms for certification. Why did you choose to "correct" someone who had it right?

Re: @dajames

"'AC@11/22-00:20 here, to be honest that's the first time I hear about Verisign keys in this UEFI SecureBoot context even though I'm a regular ElReg reader too."

The Reg's coverage here has been high on sensationalism, but rather weak on details. Verisign do provide keys for Secure Boot (I don't know whether or not they provide them for all OEMs, or just some). But obviously the component used for signing must be kept very secure, otherwise security would be compromised. So Verisign provide the keys, but MS have one of them to sign their code with (and they will sign other people's code too for a relatively small fee). Red Hat investigated doing it themself (i.e. they could get a key from Verisign too), but decided that managing that whole process plus the cost involved, was worse for them than simply paying MS to sign their code for them. The link you posted to RedHat is actually a very good link covering their decision. From there, this is probably the most relevant part:

challenge is how to both initially ship and later update the set of trusted keys stored in the system firmware. g all users to manually perform this task would not meet the ease of use objectives. After all, with any security feature if it's too hard to enable it, few will bother to use it and leave themselves exposed.

The resulting mechanism planned for getting the keys automatically distributed is to utilize Microsoft key signing and registry services. This obviates the need for every customer to have to round up a collection of keys for multiple operating systems and device drivers. t will provide keys for Windows and Red Hat will provide keys for Red Hat Enterprise Linux and Fedora. Similarly other distributions can participate at a nominal cost of $99 USD - allowing them to register their own keys for distribution to system firmware vendors.

MS get a key from Verisign, Red Hat side-steps all the hassle of doing it themselves by paying the $99 fee and MS sign it for them.

Re: GPT

"In passing, you don't need a UEFI BIOS to support disks >2Gb with Linux, provided you are happy with the plural. Once a linux kernel is up and running, it'll handle a disk with a GPT without any use of the system BIOS."

That's actually the same as under Windows. It's the "up and running" part that UEFI solves. With either Linux or WIndows, you can't boot off a disk 2TB or larger (note, you wrote 2GB, this is incorrect). WIth UEFI, you can (under either).

Re: @AManCalledBob - Don't like windows 8? Tough, you can't run anything else.

What gives you the confidence to assume all PC hardware manufacturers will allow you to disable secure boot ? Microsoft suggested them they can do it not that they must do it (after all they can't dictate to OEMs, can they?).

MS have specified that you have to be able to turn off Secure Boot if you want to advertise your PC as certified by them for Windows 8. That's a fairly powerful marketing draw. Besides which, what would OEMs have to gain by making their product less able than a competitors?

Re: Secure Boot can be turned off ... BUT ...

"Once you do, if you boot up a Live CD, say, Linux Mint 13, and try to install a dual boot, Linux does not recognize Windows 8 (nor any of the numerous partitions on the hard drive) as a valid operating system. How then to set up a dual-boot system?"

Are you saying you have had this happen to you? Because turning off Secure Boot shouldn't cause you any problems with dual booting. Windows 8 runs fine on systems without Secure Boot. I think you're very misinformed. I don't see how Linux would fail to recognize any of the partitions on the hard drive. Linux has better and wider file system support than Windows.

Re: Interesting approaches to monopoly

"So you can re-flash the UEFI from Linux (or other non-MS utility) with a UEFI of your own, with your own signing key and without MS's revocation rights? You know, so that the UEFI could secure-boot a non-MS OS?"

No. There's no flashing of firmware involved or anything remotely like that. You just power on the computer and enter UEFI, just like you would enter BIOS (typically, you press F1). Then you just select the option for Secure Boot and turn it off. You can then boot any OS you choose. You wont then be using Secure Boot.

This means that you can't benefit from Secure Boot with Linux if you do this, but no Linux distro really makes use of it at this time anyway. The signed boot loaders that RedHat and Ubuntu are providing don't really provide any security. All that they do is enable you to use a Live CD to demo or install their Distro without having to go into the UEFI and turn Secure Boot off. Beyond that initial boot loader, there's not much protection to be gained by using Secure Boot with Linux. Hopefully one of the main distros will make use of it in time.

Re: Re:Don't like windows 8? Tough, you can't run anything else.

"So if you buy a machine with Win8 from an OEM it will NOT boot any other OS."

This is incorrect. Just go into UEFI and turn off Secure Boot. It's very easy, no different to swapping the default boot device.

Re: Windows 8

"There are now only Apple and Windows computers available easily."

There is absolutely nothing preventing you from starting a business selling PCs with a Linux distribution pre-installed. Or indeed with no OS installed. Secure Boot hasn't changed that in the slightest.

"Not if it means they move off Windows. Everyone's a winner in that case."

So your ethics says it's okay to jeapordize people's security because you should be able to punish people for not choosing the OS you think they should?

Re: how to disable this secure boot

"And if the user can do it, any malware that gets into kernel mode can do it."

No. Because kernel mode doesn't have access to change the UEFI settings. The user does it by going into UEFI on power-up, just like they would go into BIOS and changing a setting. Just because the OS says something can be done, does not mean that the firmware will agree.

Re: Don't like windows 8? Tough, you can't run anything else.

"That's all very well unless you want to dual-boot - if you disable Secure Boot then Windows 8 won't start."

Seems massively unlikely that is true. You can install Windows 8 on machines without Secure Boot, after all. Evidence please.

Re: Boot on the other foot

"The problem isn't UEFI or Secure Boot in itself, it's Microsoft's abuse of its monopoly position in order to make it very difficult (if not impossible) to install any other operating system."

If you don't have a problem with UEFI or Secure Boot, then why you do have a problem with Microsoft when their own requirements demand that it be possible for a user to turn off Secure Boot on any WIndows 8 PC? Have you thought about how useful Secure Boot would be if it were turned off by default? Obviously not.

Re: This UEFI thing...

"This UEFI thing... why do I get the feeling it'll be a complete flop?"

Possibly because you don't understand the difference between UEFI and Secure Boot and aren't aware that pretty much all modern x86 motherboards are shipping with UEFI instead of BIOS and that this has already been the case for some time. I have a motherboard here I bought about a year ago. And it has UEFI. Quite possibly you are using it now as well.

Re: Once the pre-bootloader is released

I wrote above that it's not a "pre-" bootloader. I was incorrect. My argument is still the same, but they are now using the term "pre-bootloader" as well because (although this is a bootloader), they are using it to boot their normal boot loader. So I guess it is a "pre-" bootloader in a sense. Apologies for the wrong correction.

Re: And I have this habit of assembling my own computer

"How is UEFI going to affect that?"

It wont. Also, by UEFI, I presume you mean Secure Boot which is actually only a smallish part of UEFI. You can just turn Secure Boot off. Unless you are building your own ARM devices.

Re: how to disable this secure boot

"how to disable this secure boot that's all I would like to know"

When you power up the computer, press the key to enter set up. Typically <F1>. Then mouse or cursor to the option saying: "Secure Boot: Enabled" and toggle it to "Disabled" or "Off". Exit and let the computer start up. It's much like changing the boot device in BIOS.

Re: Windows 8

"You can't disable secure boot on all systems."

Specifically, you can disable it on all x86 platforms (i.e. PCs). You can't on ARM devices that come with WindowsRT installed.

Re: Once the pre-bootloader is released

"Why won't the virus writers simply bundle the pre-bootloader with their "products"?"

A couple of reasons. Firstly, they can't bundle the bootloader (it's not a "pre-", btw), because only a signed bootloader will be executed, so any malware has to start further up the chain. Secondly, the bootloader is for GNU/Linux so their malware actually has to target this platform rather than Windows. Well it doesn't have to, but you'd essentially be writing malware that infected Linux and then unloaded Linux and booted up Windows. Possible but very cumbersome. The install base of GNU/Linux is far smaller than Windows and most of the roots to infect the boot process would be opportunistic and thus target Windows.