back to article Cryptoboffin: Secure boot a boon for spooks' spyware

A leading computer scientist has warned that the latest so-called Trusted Computing proposals may restrict the market for anti-virus and security software. Cambridge University Professor Ross Anderson warns that the secure boot features in the UEFI firmware specification - understood to be required on certified Windows 8 …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    A governmental nightmare

    One of the efforts used to satisfy the UK governments data security requirements, is to encrypt the hard drive.

    If code like this was blocked from running on machines, then we would be in real trouble. We wouldn't be able to encrypt any devices and that would mean the end of anyone taking any devices out of the buildings.

    Having said that, because of the cheapy hardware manufacturers cutting corners on their motherboards, the encryption systems won't work on some netbooks anyway. Are you listening Mr Dell?

  2. Thomas 18
    Thumb Down

    Anticompetitive

    So much for anticompetitive legislation

  3. Paul Crawford Silver badge
    Thumb Down

    Ultimate Trojan

    Interesting point, as once installed you can't detect the Trojan as the OS can prevent any user-space software from accessing those files (or re-direct to untainted copies), and you can't boot a 3rd party or 'open' tool to perform an untainted scan.

    Germany has already got laws to allow such state-sponsored 'malware' in the name of law & order, Turkey has apparently done the same.

    The Stuxnet malware, variants and a few other Trojans shows others are able to compromise the chain of trust in driver signing by one means or another, either as criminal gang stealing from the companies, or from MS via a state-sponsored link. Tinfoil hats discus..

    Unless the PC administrator has genuine control over the UEFI booting to allow 3rd party tools to work, this is a massive step backwards in freedom and security.

  4. Anonymous Coward
    Anonymous Coward

    lobs in molotov and runs...

    So, this would be the BIOS replacement that's been on Macs for years now?

    1. Paul Crawford Silver badge

      @lobs in molotov and runs...

      Yes, but now with code signing on MS' behest.

      Macs allow you to boot other systems. Apple don't care about this as it makes their pricey computers a better value proposition for those who need fast Windows (e.g. gaming) or Linux support without using a VM.

      1. Anonymous Coward
        Anonymous Coward

        @Paul

        Safeboot is not a MS mandated thing, it's part of the UEFI spec, MS have said that they want it for a machine which is to be Win8 certified, this is all.

        1. Ian McNee
          Stop

          M$ Sockpuppet?

          To say that Safeboot is not M$ mandated is technically true but effectively a big fat lie - due to M$'s monopoly position in the desktop OS "market" and consequentially disproportionate influence on OEM & motherboard suppliers.

  5. Dr Dan Holdsworth
    FAIL

    Remember the basics of security, please!

    If you think back to those early lessons in security, and to a certain Kevin Mitnik's career as a criminal, then you will be well aware (as the governments of the world don't seem to be) that the weak link in security is usually the human element. Government IT is unusually vulnerable, mostly due to gibbering idiocy and computer illiteracy in their higher echelons of command. MPs, politicians and senior civil servants are almost universally IT-illiterate, and unusually susceptible to fast-talking IT outsourcing companies, to the extent that in Britain at least the civil service is woefully de-skilled in IT, outsourcing everything but common sense (which all parties seem to lack) to external suppliers.

    So, the main problem here is that the outsourcing companies will give the civil servants a Noddy guide to cryptographic authentication, then hand over the system to underpaid, under-motivated, and woefully under-skilled civil servants for day to day running. Pretty soon, someone will approach one of these muppets with the classic hold-all full of used twenties, in return for a copy of the signing key, and eventually this approach will succeed. Alternatively it is always possible to throw the forces of an international botnet against the problem, and try to crack the keys.

    Government IT, as I said, is under-skilled to the extent that the senior people will actually believe the suppliers when they claim that the signing system is all the security they will ever need. Thus when (not if) this system gets broken into, the people running it will sincerely believe it to be invincible and the poor PFY who breaks the terrible news is going to get a dose of shoot-the-messenger syndrome.

    So, like all big IT schemes, this one will fail.

    1. Ohb1knewbie
      Thumb Up

      Another Silver Bullet

      This is precisely the point that will be missed by all the PHBs who are unfortunately empowered to make this happen.

      They'll be sold yet another be all end all “Silver Bullet” to end all their IT worries while at the same time giving them the tools to engage in whatever underhanded schemes their hearts desire thus rendering them “Invincible, Untouchable and All-Seeing” for evermore (cue triumphant sounding music).

      Thereafter any and every warning will be met with scoffing replies that “they've already addressed your concerns and you really should just STFU and get back to work”, right up the the point where they come looking for someone to sacrifice to save their own skins.

      The rest of us will, of course, be to distracted by whatever disaster ensues to take the time to say we told you so.

    2. Anonymous Coward
      Anonymous Coward

      Who needs a wallet filled with used Jacksons?

      You tell them you're the new admin for the head honcho and you really, really need this because said honcho is on travel (Geneva's always a good choice unless you are actually in Geneva) and you need the key so he can deliver his keynote address.

    3. fajensen
      Big Brother

      The Government Like!

      The kind of government who earlier wanted to place microphones in all the lamppost has maybe realised how nice it would be with a microphone and a camera in all the computers?

      And unlimited access to all the users "stuff"? To protect the children.

  6. Anonymous Coward
    Anonymous Coward

    Absolutely right

    He's hit the proverbial nail on the head. If you have a key which restricts who can install software on your system then obviously the onus falls on the persons in charge of the key, just like you have with TPM enabled motherboards currently.

    There is absolutely nothing, again apart from the persons in charge of the key, stopping companies/goverments/whoever from using that exact same mechanism to make their not so innocent software installable, without fearing detection. In simple terms, Sony's rootkit would have been undetectable by the OS if run under this.

  7. Crofty616

    Oh boo hoo

    "Building signed boot into UEFI will extend Microsoft’s power over the markets for AV software and other security tools that install around boot time"

    They make their living by feeding off the flaws in other peoples (Microsoft's) software, and now they cry when Microsoft actually do something about the security of their own software?

    Haven't made my mind up on Secure boot yet, but Anti Virus groups crying over it just irritates me...

    1. Anonymous Coward
      Anonymous Coward

      @Crofty616

      "nd now they cry when Microsoft actually do something about the security of their own software?"

      They're doing very little about it. Most viruses/trojans are still drive by, not boot loaders, and if you think Win8 will eliminate these then I've got some snake oil I can sell you. All this will do is prevent anti virus running to tell you about it.

      1. Crofty616

        @boltar

        Don't get me wrong, I have no illusions about Win 8 being some magical virus free heaven, that wasn't the point that I was making.

        My point was that it really irritates me when Anti Virus companies kick up a fuss about new security features (good or bad) released by Microsoft based on their fear of losing profits, which lets face it is their main concern here "If Microsoft don't like us, and dont give us keys/add us to work on boot, we wont be able to make money from them anymore"

        Let the down votes continue, but that's my take on it...

  8. big_D Silver badge
    Stop

    Nothing to do with Microsoft...

    The key would be built into the UEFI, which would mean that each manufacturer would need to be approached and have the key added to their UEFIs.

    AV companies would need to get their Certs put into the UEFIs as well, for boot CDs. Once the software is installed in Windows, it shouldn't be a problem, unless the AV software is trying to install as a rootkit.

    The same goes for government trojans, most load in the background, once Windows has started booting.

    I thought the whole point of the UEFI safe boot was to ensure that the boot sector / boot image wasn't infected by a root kit, to protect the PC, until the operating system gets around to loading the AV software.

    If that is the case, it won't make any difference to state sponsored malware or AV companies, other than rescue CDs.

    1. Anonymous Coward
      Anonymous Coward

      @big_D - Not quite so!

      There are no keys built into UEFI except manufacturer's public key. The UEFI manufacturer will sign Microsoft Windows8 boot loader with its private secret key and UEFI will verify it before each boot. AV companies will have to make sure the boot-loader modified by their software is signed by UEFI maker.

      For Microsoft it's a walk in the park. Announce Windows 8, get their boot-loader signed, sell Windows 8 PC for exactly 2-3 years then come up and repeat with Windows 9, 10 11 ad infinitum. Scrap all previous hardware + software and start selling the new one every 3 years is not a problem for MS, they dreamed of this for decades. Now for anyone coming with a software product that need permission/access to boot process it's a totally different matter: you must start touring all MB/BIOS manufacturers for crypto signatures every time your signed software changes. Here comes the most tricky part: those manufacturers might have some incentives from Microsoft to delay or prevent your access to the market, we've seen this before so many times.

  9. Dazed and Confused

    Thank *&^% someone is pointing this out publicly

    If you secure the boot process, then you can't watch it easily.

    The keys are bound to leak, they always do.

    Malware either from some criminally insane gubberment or just plain crim will make its way onto systems and you won't be able to do diddly squat about it.

    It is the same as the proposal a few years ago to make "secure" disk drives, where SW without the right key couldn't read the disk blocks, would just mean viruses which the the AV tools can't see.

  10. Scott Broukell

    But Shirley ...

    ... the switch / option will be there in the BIOS settings do Enable / Disable UEFI ?

    Or will "all your BIOS belongs to us" be the way of the future?

    In which case we may witness the rise of third-party chips n'that to circumvent tings a bittsy ?

  11. TheAincient

    What happens when?

    What happens when virus and malware creators get their hands on the key?

    I guess we are all stuffed at that stage.

    Eventually they BIOS keys will fall into the wrong hands,

    1. Reg T.
      Linux

      The keys

      are already in the "wrong" hands. Read the article -

      "If the Turkish government compelled Microsoft to include the Tubitak key in Windows..."

      MS, Google, Facebook and similar organizations are proxies for governments. Tor is an apparatus for espionage and "crowd" control, in that the users can be identified and rounded up by State security, as in Iran. If the NSA contributes to the kernel (SELinux) do you suppose they do it because it is a beneficent charity which loves folk?

      Instead of the "trojan" in the interior, look at the horse itself. There are no "safe" gift horses.

      You who folk who brag about Linux security - when was the last time you read each line of code in the latest kernel? And, since when is "compiling" a substitute for reading code?

      1. Anonymous Coward
        Anonymous Coward

        @Reg T. - You don't seem to know much about Linux, mate!

        First of all, as opposed to proprietary software, I am able to read the source code and recompile it if I want / need. Heck, if I don't trust a certain Linux distribution I can even create mine the way I like it!

        It is true that NSA has contributed to SEL project but even the most mediocre Linux user knows how to disable or completely remove it from his system (try doing this at home with DRM in Windows).

        Second, when you will really understand Linux, you'll find out there is no need to read every line of code. For your enlightenment, we're using code that is cryptographically signed but I agree with you it requires exercising the brain a little bit (warning sign for Windows users) on how to make sure your system is not tainted. This is life, mate, nobody said it's fair, you can't remain illiterate and safe at the same time.

  12. Adrian Challinor
    Flame

    Legacy PC's

    As a Linux user, clearly I'm concerned. But then I build my own PC's and this will simply mean I choose motherboards that allow me to disable UEFI, or at least the signing requirement.

    But what about the current users out there. I gather from the press that there are a few Windows 7 users, even the off Vista user, and I hear Windows XP users as well. The rumour is that there are quite a few of these users. Are they all going to need to buy a new PC as well as a copy of Windows 8? That is really going to make PC World's day, don't you think?

    And then we have all the fun with the users. "I just bought this new PC with Windows 8, and none of my iTunes files are on it. What's more, I plugged by iPad in to the new box and iTunes wiped it for me. WHERE IS MY MUSIC?".

    Can't help think that this one needs a bit more careful thought. Then again, it is Macro$haft we are talking about here.

    1. bobbles31

      It takes a special kind of commentard to get from UEFI to iTunes, but you managed it with aplomb.

    2. Gordon Fecyk
      FAIL

      So vote with your wallet already.

      Last I checked no one forces you to buy a PC pre-loaded with Windows or a motherboard with UEFI, and slapping together a new PC is as simple as asking your parts dealer to do it for you.

      And no one forces you to use iTunes or an iSlab, either. Netbooks are still a viable replacement for "fondleslabs," as El Reg is fond of calling them.

      1. Steven Roper
        Facepalm

        Oh, no, not the old "nobody is forcing you" bullshit again

        Read my text: YES. THEY. ARE.

        When the time comes, Microsoft will simply use its market power, as it has done many times before, to force mobo makers to ship their boards with UEFI or face losing their supplier/OEM discounts. No manufacturer will risk cutting themselves out of that market for the sake of being able to sell untainted boards to a few techy geeks.

        As to nobody forcing us to use an iSlab - Apple themselves are doing that, by suing every competitor off the market on every stupid round-corner patent they can abuse. I live in Australia. Because of Apple, my only choice if I want a new tablet is an iPad, because they've gotten Samsung's offering banned here, and they're busy trying to stop other tablets too.

        So enough with the "nobody's forcing you" crap already. Most people are aware by now that there are ways of forcing things on to people without resorting to machine guns and rocket launchers.

        1. Gordon Fecyk
          Stop

          Don't by a fondleslab then, sheesh

          "Because of Apple, my only choice if I want a new tablet is an iPad, because they've gotten Samsung's offering banned here, and they're busy trying to stop other tablets too."

          Didn't I use netbooks as an example of a fondleslab replacement?

          And is Asustek (practically the inventor of the netbook) and MSI really going to stop making PC motherboards or netbooks just because Microsoft says they can't run Windows 8 with them?

          Vote with your wallet.

  13. Psymon

    yet another storm in a teacup

    All this chicken-little knashing of teeth and arm waving is tediously familiar, and smacks of the same paranoia that surrounded CPUID and TPM technologies when they were first introduced.

    At the end of the day, this is merely a step toward improving overall security within the OS. As with all the other "controversial" technologies, there will be an option to SWITCH IT OFF in the bios.

    There ya go, you can breath again now.

    1. Dazed and Confused

      @stormy tea cups

      You've missed the point here.

      1) the standard does not say there needs to be a way to turn it off. So no, not all PCs will necessarily have the magic switch. M$ get to pass the buck to the PC manufactures, but will probably only be passing the bucks to those who play nicely (by them) it is after all their money, but most PC manufactures live by it.

      2) if you turn it off, you won't be able to boot Windows. Now you and I might view that as the greatest idea since Babbage started this ball rolling, but most people would find that a problem.

      SO if you can't boot windows with it turned off, you probably won't be able to read your windows system volume with it turned off either. So how is clam or what ever tool going to tell you your system is clean?

    2. Anonymous Coward
      Anonymous Coward

      @Psymon - I wouldn't call it a storm

      It's more like a tiny drop of fresh urine in your teacup. Unlike you, the situation is getting serious.

      BIOS and MB manufacturers have not the slightest incentive to add that on/off switch for you, especially if this will add a couple of dollars on top of the cost of each unit produced.

      In case you are concerned by this topic, your post is inappropriate and in case you are not concerned by end user digital freedoms then your post is totally unnecessary.

  14. Anonymous Coward
    Anonymous Coward

    Gimme the keeeeys

    In order to prevent malware to infect the shoddy operating softare, they "accidentally" shut out the third party anti-malware software. I think we have some practical, policy, politicking, and, well, basic trust issues. Secure boot, in short, isn't going to be worth the hassle _to the end users_, but they'll not get a vote in this.

    Which brings us back to exactly what was voiced about those non-redmondian systems: Who's going to get ahold of the keys? If I, owner of the hardware, do not get the keys to same, do I still own it? I don't think I'll see it that way. As I'm buying hardware to do exactly what I tell it to, not to, say, enter in some on-going entertainment deal like the marketeering of game consoles sees it, not getting full access is simply not acceptable.

    I think that every buyer should insist on getting all the keys to their hardware, and accept no substitutes. In fact one could argue that corporate responsibility should drive enterprise pc buyers to insist on hassle free full access for every last hardware owner, not just for big enterprises. That, or just drop the entire key idea and, as an industry, point redmond to put more effort where it counts: Good, well-written software that isn't so painfully vulnerable to such a large host of increasingly sneaky malware. The net benefits of this keying thing really aren't worth the price to the public.

  15. John Smith 19 Gold badge
    Thumb Down

    anyone remember "Paladium"?

    Another of MS's "trusted computing" initiatives.

    No more corporate documents being read by "unauthorized" machines.

    It just needed *every* I/O device to support real time decryption of the datastream (so no back up copying of the *raw* data stream.

    An end to industrial espionage (and investigative journalism) and piracy (or backup copying of your honestly bought software/movies/music).

    Stupid idea then.

    Stupid idea now.

    And yes the idea that *any* system that relies on a secret key *remaining* secret will remain secure (IE its bi directional) for long ignores the history of *all* previous such computer security systems.

  16. Christian Berger
    Facepalm

    And again

    Code signing is not a security feature. It never has been and it never will be. It only places some control of the system to whoever can sign the code.

    Since manufacturers and governments have repeatedly shown that they will abuse any power they can get, it's not a good idea to give them control of your systems. Period.

  17. Anonymous Coward
    Anonymous Coward

    cut the crap?

    The only purpose of secured boot is to guarantee that Micro$oft will be the only operating system that computers can use. A secured boot can be obtained by putting ether a switch on the hardware or bios that won't let the boot record to be changed unless that switch is set period. Its all about money. IF you will notice, M$ is currently going after Android as well. If you just bought a new Windows 7 gaming system and spend a bit of money on it, it won't run Windows 8 and you are out of luck!

    1. Notas Badoff
      Unhappy

      cut off foot?

      "If you just bought a new Windows 7 gaming system ... it won't run Windows 8 and you are out of luck!"

      This is the part that confuses me. Who signs what? If it is Windows that is signed with the manufacturers' keys (*all/each* manufacturers' keys?) then a new release of Windows simply gets signed with old and any new keys and it is good to boot? No problem for new windows on old machines?

      But if the manufacturers private key gets swiped, then Microsoft will refuse to sign new releases with that old key, and *then* new windows won't boot on old machines?

      I'm just trying to figure out how many iterations of "sorry, your newest machine bought only 2 years ago is now junk, because of them hac6erz" it will take to bring this into 'disfavor'

  18. Anonymous Coward
    Anonymous Coward

    Ross...

    Ross Anderson seems to be getting a little paranoid of late... Also, he doesn't seem to actually understand what he's talking about there - He suggests that a signed boot system could prevent Metro applications from running? How, exactly? They are installed by the user. He then goes on to say that the the Turkish government could make MS sign some of their code with the MS key, totally missing the entire point of secure boot that the code is signed by a 3rd party, the OEM. Then he goes on about Wall St somehow preventing Greece from having keys because they've fallen out - again the OEMs produce the signed code - and implying that Turkey would be easily able to spy on Greece in this case.

    It's another in an unfortunate line of self publicising rants from Prof Anderson, which are being lapped up by various people because they criticise MS, or banks, rather than for any other reason.

    Ross has done some very, very good work, but recently I'm starting to wonder what's going on in Cambridge?

    1. Anonymous Coward
      Anonymous Coward

      @AC 21:26 GMT - Not at all, my good friend!

      User will be unable to install any application if that application or the app store can't verify if the OS has been booted in an approved manner. Roos says here user is no longer in control of his computer.

      Turkish, Chinese, US or any other government can make pressure on OEMs to sign any official state sanctioned spyware rootkit so it will be stuffed on your machine against your will. Ross says here it already happened when Turkish government managed to "convince" a software vendor to do such thing and very few people protested.

      Wall Street via US government agencies can (and surely will) make pressure on OEMs to allow installing nasty spyware on machines destined for some country. It all depends on who is US friendly and OEMs will have nothing to do but to comply. Ross says here that companies doing business in the US are subject to US laws and regulations heavily rigged by corporate interests.

      Microsoft is only trying to blindside us all here because all computer OEM are under Microsoft control so any insinuation that this will be a totally impartial and neutral process is like listening Stalin making promises on human rights protection.

      Be vigilant, don't be naive!

      1. Anonymous Coward
        Anonymous Coward

        @AC

        Yes, be vigilant, don't be naive, but also: Don't be a paranoid conspiracist.

        When supposedly highly intelligent people like Ross Anderson start their blogs with comments like: "I hear that..." (check it out, the original blog said that) and then go on about how x,y,z company is going to prevent all Linux users from ever being able to use linux again, you've got to wonder what's up with that? If any other professor started a blog post with such a comment and then made such an extrapolation people here would be all over it, but because it's Ross Anderson and he's making anti-MS comments, it's lapped up without even cursory examination of the pertinent facts.

  19. Anonymous Coward
    Mushroom

    Time To Move To

    ARM platforms. Fsck Wintel.

    1. Random Handle
      Happy

      The 32-bit edition of Windows 8 supports ARM but not UEFI......sounds perfect for you.

  20. Mike 16

    Moving to ARM

    "Time to move"? Nope. Win8 will run on ARM.

  21. Al 4
    Thumb Down

    In circuit emulators

    In circuit emulators will enable anyone that wants to, to get the boot information since they operate outside the system. It will be just a matter of time before these "Keys" are being sold to virus writers and other nefarious types. With an authentication system in place and the viruses being authenticated to the systems as a friend it will be much easier to infect machines with the OS welcoming them with open arms.

  22. Dazed and Confused

    @Al4

    The traditionally accepted form of key distribution here is to print them on tee shirts.

    Programs are subject to the Millennium digital screw you act, tee shirts are covered by the 1st amendment.

This topic is closed for new posts.