Why does Secure Boot need such draconian control?

Pros and cons of Secure Boot explored

 

There's a new unavoidable conundrum for free software, and it has a name that conjures up thoughts of either a totalitarian regime, or a decent way of ensuring that malevolent code doesn't slip in between the cracks in your BIOS and your operating system.
 It's called Secure Boot, and it's part of the Unified Extensible Firmware Interface specification (UEFI) developed for the next generation of PCs.
Secure Boot is designed to only allow signed code to boot your machine, and only entities that hold a valid key can sign the code that will allow your machine to boot. If the code can't be verified, it won't be able to run, in which case you'll probably be presented with an updated version of the message you used to get when you accidentally overwrote the master boot record.
It means that the USB version of Ubuntu 10.10 you've been relying on to undelete your Windows files and repair over-written master boot records will no longer work - at least not on a new machine that conforms to the specification. But then you probably won't have MBRs any more, either. Windows 8, and machines that are sold and certified to run it, will need to use Secure Boot. This is a good thing in some ways. For Microsoft and for Windows users, it will mean that one of the most glaring loopholes in PC security can finally be sealed. Trojans won't be able to hide, and Microsoft will be able to control the entire software stack from the boot to the desktop.
This will make it a lot harder for anything to usurp the operating system before it reaches sentience, and it's something Apple has been able to do for a long time.
It's part of the reason why iOS hardware hasn't yet been compromised and why, despite everyone owning one, Apple's devices seem to be retaining their integrity (though now that I've written this, there's probably some terrible malware infecting every iOS device on the planet).

The downside 

But in other ways, this isn't a good thing. Apple controls every line of code that goes through the CPU, whether that's the bootstrap or any one of the thousands of apps vetted and sandboxed to run on its devices.
It does this on an Apple TV, its music players, its tablets and its phones. Its PCs famously only run on authenticated hardware too, and Apple wants to take the sandbox approach used in iOS development to the desktop.
It will do this by making the OS X App store as popular and as integral to OS X as possible, and by forcing developers into the sandboxed environment it is creating.
There are similarities between the level of control in Secure Boot and the direction Apple is headed in when it comes to running software on your hardware, and while this development will be good for consumer confidence, I don't think it's a good thing for freedom or for security.
It stinks of an easy option being made because, surreptitiously, it's an idea that also works to give Microsoft more control. There should be a more imaginative solution to these problems, because it's unclear what this going to mean for Linux - and more importantly, what is it going to mean for choice.
Do you really want an operating system vendor to have this level of control over your hardware? Apple customers can be excused somewhat because they buy a device that's been 'Designed by Apple in California', and they know what they're not getting. But the PC market is completely different, and in a good way.
There's no official platform, hardware or vendor. There's massive variety, and whether you're buying a laptop or putting your PC together from components, you have a great deal of choice.

Removing choice 

Big Linux distributions like Fedora and Ubuntu are making their own arrangements for procuring the credentials to allow booting - the price isn't prohibitive, and it's a system managed by Verisign, not Microsoft. But it's causing a split, not just because people can't agree on the best approach, but because it's already creating friction.
The Free Software Foundation, for instance, criticised Ubuntu's plans use an Ubuntu-specific key for what the FSF calls Restrictive Boot, as well as Canonical's intention to drop the Grub bootloader over concerns that using it will break the terms of the GPL used to distribute.
But what about the smaller distributions, updates, unofficial re-spins and personal redistribution to friends? I don't understand why Secure Boot needs to have such draconian control over the PC. Why can't it be used only when booting Windows, for example, and who's naive enough to think that the keys won't be cracked or stolen, giving hackers an even softer back door into Windows than before?

Secure Boot isn't a solution, it's about control and it's removing choice from a platform that has always flourished because of it. Whether that was Microsoft capitalising on the rise of IBM-PC clones, or Linux undercutting UNIX when it appeared on x86. And to paraphrase Benjamin Franklin, those who sacrifice freedom for security deserve neither.

ARM PCs Could Possibly Offer A More Secure Experience

When it comes to Windows 8 there are two key changes that really seem to get the most focus, the new Metro UI and added support for ARM processors.
Both of these features are certainly deserving plenty of attention because of what they imply for the change to the desktop in coming years.
Microsoft's 'core' OS has always been targeted at x86 processors (Although NT4 did support a few other architectures like Alpha, MIPS, and IBM Power) and primarily at the traditional workstation-style PC and laptop.
As the company has evolved, so has its strategy and with the newest set of changes heading to Windows 8 we are seeing a complete shift that opens up the door to more casual touch-friendly interfaces and laptops/desktops that no longer use traditional legacy code and x86 processors.
With ARM companies like Qualcomm and Nvidia preparing initiatives that move beyond mobile and into a landscape dominated by Intel, you think that the x86-based Intel and AMD would be at least a little nervous.
According to Intel the legacy support that is found in x86 isn't present in ARM, this means less drivers that work for your favorite cameras, printers, and other attachments. ARM also isn't as fast as Intel, and overall Intel is confident that they have little to lose with Windows 8.
On the contrary, Intel has openly praised Windows 8 and claims to be looking forward to it. Whether or not this is just a 'show' or not, who knows.
What I do know is that I've personally been mixed about the whole thing for a while now. After all, legacy support is awfully important. Still, I've started to think about what major advantages you will find with going ARM on workstations, laptops, and home PCs versus keeping to the traditional x86 side of the fence.
I've come up with one possible BIG advantage, security.
While this is theoretical at the moment, it seems possible that since Windows 8 isn't legacy-capable in the coding you won't have to worry about all the viruses and malware that currently plagues the x86 version.
I know what you might be thinking, "Well hackers and malware creators will just go ahead and make new viruses that are modified to target Windows 8 on ARM", maybe.
Keep this in mind though, at least for a few years the biggest players in ARM OSes will remain Apple and Google, not Microsoft. So this makes Microsoft less of a target.
Additionally, much of the code found in 'desktop mode' of Windows is very aged and so getting a clean start with the Metro UI and the apps that run it might not be a bad idea.
Additionally, since the Windows ARM version is largely locked down in a way similar to Apple when it comes to apps, it is again a much more secure option than the x86 version.
The big downside though is that if you are a business that is interested in the security aspect you have to be willing to re-make in-house programs for ARM and re-train users for efficiency on the Metro platform, which could become a costly endeavor.
Paying for losses brought about by viruses might end up the cheaper solution for some of these businesses.
Still, getting aboard with Metro might not be a bad idea as I do believe a day will come when Windows no longer supports the traditional applications, instead favoring a combination of Metro and Cloud-based APIs for running programs.
The ARM debate isn't anything new but I do personally think it could have a niche, especially for businesses that don't mind updating to more cloud-centric solutions now.

Windows Video – using Javascript to build Metro style apps in Windows 8

A new video from Microsoft about using JavaScript to build Metro style applications.
In this session, you’ll learn how to organize your code using the same coding standards Microsoft used to build Windows library for JavaScript, how to make your code robust and maintainable.
You’ll also learn how to bring in 3rd party libraries, like  jQuery. If you’re new to Windows 8 development with JavaScript, this sessions is for you.

Windows 8′s New Updating Solution And Possible Alternatives

Microsoft recently revealed a post on their Building Windows 8 blog that the next-generation Windows OS will require fewer reboots for Windows patches and updates.
Admittedly, this sounds pretty awesome. The truth is that the ‘less reboots’ to keep secure is all about smoke and mirrors and they just are delivering the process a bit differently this time around, though I still think its a fairly good solution.
A perfect PC would never require a reboot and all patches would just silently install themselves in the background without getting in the way of your work.
Unfortunately, we live in the real world and the reason for the restarts is that during an update there might be important system files in use that can’t be updated while the machine is running in its current state.
So Windows 8 will at least do the next best thing and reduce the need of reboots by limiting patching to once a month. The new system will simply gather up all the updates and then on the second Tuesday of each month it will restart and install all the patches and security fixes.
This means that by waiting until the second Tuesday of each month all your updates are ready, they just aren’t installed. This smoke and mirrors approach means that all patching will happen en mass meaning that you might have patches that you downloaded two weeks ago for a security fix that is just getting updated now.
Luckily all the major security patches will still require immediate reboots, but it still has to make you wonder if waiting around for a patch is really any better.
So in short, Microsoft makes good on its “less reboots” promise, though they phrase it in a way that it sounds like patching is still going on in the background you just don’t need to reboot as much.
I understand Microsoft’s reason for wanting fewer boots and have had a personal experience where I walked away from some work only to find my PC rebooting and I lost it all. It’s possible this is the best solution that they can offer with current hardware technology but I wish it wasn’t the case.
So what would I propose instead- proving that the technology could actually handle it? How about smart technology inside of Windows that is ‘always-on’ and when your PC is already off it turns on your machine, grabs the updates, installs them, shuts back down, and on restart your previous shut-off state is resumed so that nothing looks or seems different.
With this approach you wouldn’t even know you ever received updates unless you looked at your update log. This sounds cool but who knows if it is actually reasonably possible and I suppose this scenario also doesn’t take into consideration people who never shut down their PC unless they have to.
So if not the first scenario, why not smart software that detects that there has been no new activity in X amount of time. The PC could then make a save image that would include any and all open and in progress work.
The computer would restart, install the patches, and the load up the image that would ensure all your previous work was still there and unchanged. Again, perhaps this is just not possible.
Microsoft is really working hard to improve security, speed, and convenience in Windows 8 so I don’t want to sound like a complainer. I like Microsoft’s ‘less booting’ plan and fully support it.

The Perfect Windows 8 Hardware?

What would be the perfect hardware to run Windows 8 on? That’s not an easy question. The “perfect” hardware would have to run Windows 8 seamlessly with the least possible flaws, the processor would be able to run all the Windows 8 graphics completely smoothly as well as other videos from the web and on you hard drive without draining the hardware’s battery life.
This device would also have to have a touchscreen to take advantage of the new touch oriented Metro user interface.

The Transformer 2 combines tablets with traditional laptops.

Some people are touting the all new Asus Transformer 2 as the perfect hardware for Windows 8. The Transformer 2 was revealed on Wednesday this past week, but it’s been expected for a while. It runs the new  Kal-El 5 core Nvidia Tegra 3 processor and it ships with Android version 4.0 (Ice-cream Sandwhich.)
Windows 8 will now finally be compatible with the Transformer because Windows 8 is the first desktop version of Microsoft’s operating system that can run ARM processors like the Tegra. The first Transformer from Asus was reportedly slow, but this one looks sleeker and is apparently lighter and faster as well. It should be powerful enough to run Windows 8 smoothly.
The Transformer 2 has a special feature, it has the ability to hook up with a keyboard dock with an extra battery built in. This makes it easy to type papers and essays and even articles like this one all on your tablet. Also it doubles the device’s battery life.
The iPad has a keyboard that is sort of like this one, but the keyboard for the iPad can only attach to the iPad when the iPad is in portrait orientation. It also does not have an extra battery or a trackpad that makes the Transformer 2 seem more like a touch screen laptop when plugged into the keyboard.
Windows 8 is designed to work best with both tablets and traditional computers such as desktops and laptops. With the Transformer 2, it’s kind of the best of both worlds.
Even though it’s kind of cool that there is a trackpad that comes with the external keyboard, it’s not very practical to have two methods of interacting with the device. Old fashioned users who don’t own any touch screen devices could buy this and just use it like a traditional laptop and never use the screen as a way to interact with the device.
These users would stick to the trackpad and then the Transformer 2 wouldn’t be that special anymore. It would basically be a netbook. Even users that do own touch screen devices would probably still use the trackpad whenever the keyboard was attached and they would just keep the keyboard on the entire time, just out of habit. This just seems counter-intuitive to me and I think we could do without a trackpad.
Some people are claiming that ultra-books would be the best Windows 8 device, and even though that they will be vastly improved by the time Windows 8 launches to the public, they still won’t have touch screens, and tablets without the option of a keyboard also probably wouldn’t do as well in the market just because of products like the Transformer 2 that combine the functionality of a laptop and a tablet.
Overall, even though Android would not be easily replaced on one of these tablets, if Windows 8 could be put on the Transformer 2, it would work great. You could use it easily with one hand while doing basic functions like looking at your stocks, and you could type any paper easily with the attachable keyboard.