Windows 10 announcement: certified hardware can lock out competing OSes

Anecdotes aren’t data, but I can say that every one of my friends and pretty much every person in the company I work for (right down to the billing/accounting people) have either done so at one time or another or had someone else do it for them. Granted, it’s a tech company, but still…

Laptops are probably more likely to stay with the original OS, but it’s not nearly as certain with desktops.

As for Microsoft having dictatorial control, it’s not that long ago that it was fairly difficult as a consumer to buy any computer other than an Apple without also getting a copy of Windows whether you wanted it or not. It’s still not incredibly easy unless you’re building from scratch. I’m sure they’d love to get back into that kind of position, even with the possibility of another antitrust lawsuit for it.

3 Likes

Think broadly, too. When everything you buy has a ‘trusted machine’ in it, you may find that more people want to clear that software. Refrigerators, dishwashers, cars, phones, everything will have a computer in it, and we won’t have control over those computers unless we are able to take control.

Let’s take the fridge as an example. When the fridge logs in and out all food, and reports that to the manufacturer, what happens to the information? Will Whirlpool or GE sell the information to local supermarkets, or to your health insurer? Buy ice cream and pizza too often? Lose your coverage.

5 Likes

Yes, that’s what worries me too. The Internet of Things is a double-edged sword. As long as we keep the control over the data, it is fairly safe. But the data will flow in torrents to third parties hell-bent on monetizing them. Unless we stop them.

The same technologies, the same fake SSL certificates that are a problem for us when the proxies are corporate- or government-run can be used to keep our own machines honest, when we are the ones who run them.

2 Likes

Maybe not an unbiased sample. I work for an insurance company and the IT department is married to Windows because that way it’s not their fault. I’m pretty sure they’ve heard of Mac.

2 Likes

Definitely not an unbiased sample, which is why I mentioned that. But even so, it even includes the beancounters.

The greater numbers are not users installing a new OS, it’s administrators. Corporate fleets make up a huge portion of computer and OS license sales. And these systems get flashed with a company-standard OS image. The “new” OS doesn’t even need to be very different, it could even be replacing one Windows 8 install with another Windows 8 install - but the install image is a known quantity, set up in a certain way, sometimes with specific extras included.

Also, the past twenty years are not the same computer ecosystem as we have now. Now we have “respected” vendors selling units off the shelf with rootkits installed. We have the NSA actually putting out compromised install media. So there is more of a reason to wipe a system and start from a secure install than ever. There is more risk than ever. And requiring a certain installer for the system to work would tie our hands to do anything about it.

Why is Microsoft having any dictatorial control acceptable? This runs completely contrary to the “let the market decide” mentality which corporations claim to embrace, and it’s worth confronting them about this. Somebody changing the game to take consumer choice away isn’t excusable. What if Microsoft gives away Windows 10 for free, and gets everybody used to this, and then charges $300 for Windows 11? Sorry pal, you’ve got to pay up now or buy another computer. Do you really think they won’t lock out older versions of Windows, and force people to upgrade? After the hit they took from losing years worth of sales to XP holdouts, I guarantee they will. Anybody who thinks that this doesn’t affect them as Windows users is kidding themselves.

5 Likes

Would violate anti-trust laws, if there was literally no way to boot other operating systems. I’d expect that microsoft adopt a policy to make it a pain in the arse to install linux, without actually making it impossible. How about a “key fee” e.g. if you are willing to post a cheque to microsoft for the equivalent value of a new install of Windows, they’ll tell you the key required to disable your individual TPM?

pros can already add their own entries to the list of “trusted” bootloaders that lives inside secureboot. there are more than one method of doing it too (see ‘related work’ slide). i’m not claiming to know how exactly but it is possible. on the other side of that same coin there have been bugs with secureboot that can be exploited to just completely lock the machine in an unbootable state forever. but i wouldn’t worry about secureboot too much, it can already be defeated, i think its more “for show”.

http://aether.hackinthebox.org//wp-content/uploads/2014/01/D1T2-More-Ways-to-Defeat-Secure-Boot.pdf

2 Likes

I’m confused. Would I be able to boot Windows 10 on my Mac or not?

It’s not about being able to put Windows 10 on anything. It’s about hardware being made to only run Windows, and nothing else. Fair guess Apple’s not that desperate.

3 Likes

They really only have to have dictatorial control over a broad majority of the cheap end of the market to seriously hobble hobbyists.

4 Likes

Kids sit down and let me tell you some stories about the days before the machines were in control… before my monitoring chip gets upgraded.

4 Likes

The “relaxation” is because they are actually removing a requirement from their ‘Designed for Windows’ sticker program. Previously OEMs had to have a Secure Boot feature and also had to have a way to turn it off. The rules are technically more relaxed because now Microsoft no longer requires them to have a turn off switch.

I don’t think it’s quite as serious as it’s being made out because it only affects Designed for Windows machines coming from OEMs acting in bad faith, and because the sticker is really only a marketing advantage in the home consumer sector, which is also the sector least likely to ever install a different OS on that box.

3 Likes

Well, that’s the end of Windows. I mean, Ubuntu and Android have nearly killed it anyway, but this will just be the final nail in the coffin. Gates’ pet clown, laughing as the flaming wreckage falls…

1 Like

For everyone freaking out, this just means that unsigned OSes wont be able to boot. Yes this sucks, but no this doesnt mean that you cant run linux anymore. Redhat has paid (I know I know you have to pay) for registering a siAnature, which means both redhat and fedora will both still work.

Also its not like all windows computers will be on locked down hardware, just that OEMs will now have the option to not allow BIOS. Im betting that very few OEMs will bother changing their hardware specifically for windows 10, and BIOS will survive for years and years to come.

The Ars article had a terrible headline, and Corey described it fine. All Microsoft has done is give OEMs the power to NOT include an off-switch if they don’t want to. Microsoft is NOT making “the Secure Boot alt-OS lock out a reality”. That’s totally up to the OEMs.

1 Like

I know. It’s still a shite move, which only incoveniences anybody who doesn’t happen to be Microsoft. It still sets a precedent for using the TPM against the consumer. Even if it’s unsuccessful, I still have a lot of contempt for their desire to control their customers systems, however many they put out there.

2 Likes

“any time someone puts a lock on something that belongs to you, and won’t give you the key, that lock isn’t for your benefit.”

Except this isn’t quite true. This “lock”, if it’s installed, is being installed on a device that does not belong to you. It is your choice to decide if you wish to purchase it or not. There are security-based reasons to have it with, or without, those locks. It’s completely up to the buyer to decide which one they prefer.

2 Likes

…how does a computer you paid money for and have physical ownership of “not belong to you”?

Also, what happens when there ISN’T the option not to do this? What choice does the buyer get then?

3 Likes

Epoxy is unnecessary with BGA packaging.

But of course the boot code chip will have JTAG etc. disabled. Or simply etched on the same die as the CPU.