If I don't tell the world about the inherent vulnerabilities in UEFI, the world will fall apart!
Yeah, I have these attacks, sometimes -- the "clarity" of the dreaming mind. I suppose I should post a rant about that clarity sometime. But I have three posts in suspended animation, and I really have two other, paying, jobs that I should be putting first, especially if I'm going to be working on Sunday.
(I'll pretend this is service instead of work. ;-) (erk. No, that's not really a valid defense, either. If I'm wrong here, I'm wrong.)
After the morning chores, I still feel inclined to post this, so I'll post the short version here, and (probably after I finish a translation job I've been letting slide too long) unpack it later on my defining computers blog.
So, some primary inherent vulnerabilities in UEFI, at least, as Microsoft is pushing it for MSW8:
- Microsoft owns the keys to your computer (including MSWindows "smart phones").
- You cannot re-tool the keys to your computer without breaking the "license" Microsoft issues for your computer running their OS, starting from MSWindows 8.
- Microsoft's master key works on everyone's computer, as I understand it.
More to the point, are you comfortable with the fact that someone could duplicate or reverse-engineer the Microsoft key and, without any notice to you, put a trojan horse, password logger, and all sorts of other evil stuff on your computer. Your bank information, your job information, your private letters, whatever -- all easy pickings.
- The manufacturers all have master keys, and, as far as I know, those keys are the same for all the computers they manufacture.
- You are out of the loop. No master key for you. Microsoft and your manufacturer have their own master keys and those take precedence over any master key you can set -- at least any you can set without breaking Microsoft's contracts. And, in the case of ARM-based portable MSWindows devices, any you can set without reverse engineering, which would also put you in breach of the DMCA law in the US.
Note, that, while Microsoft's and Intel's power games kill your security and create other problems, they also make it much more difficult to run community-developed OSses like Ubuntu or RedHat Enterprise. And they may may make it impossible to legally run them on the same machine you run MSWindows junk on.
Of course, you really have no reason to run MSW8, because all the stuff that keeps you in the MSWindows universe runs on MSW2k, but not on MSW8. Which leads to the proper solution:
- Keep your old machines that you have to run the legacy stuff on.
- Keep them off the network, or in isolated segments.
- Don't let anyone use those old machines as workstations.
- In fact, don't let anyone touch them, except to use the legacy programs.
- Move all your day-to-day-use workstations to RedHat, Cent, Ubuntu, Mint, FreeBSD, openBSD, etc., now.
- Don't buy MSW8.
- Don't buy any software or hardware that is dependent on MSWindows 8.
Nor does it solve the problem of write-protecting your BIOS in a meaningful way.
But it lets you keep operating for now.
There is much more to be said on this, hopefully I'll get a chance to do so before summer ends.